690 Vicenc¸ Torra
35.2.1 Computation-Driven Protection Procedures: the Cryptographic
Approach
As stated above, cryptographic protocols are often applied in applications where the analysis
(or function) to be computed from the data is known. In fact, it is usually applied to scenarios
with multiple data sources. We illustrate below this scenario with an example.
Example 1. Parties P
1
, ,P
n
own databases DB
1
, ,DB
n
. The parties want to compute a
function, say f , of these databases (i.e., f (DB
1
, ,DB
n
)) without revealing unnecessary in-
formation. In other words, after computing f (DB
1
, ,DB
n
) and delivering this result to all
P
i
, what P
i
knows is nothing more than what can be deduced from his DB
i

and the function f .
So, the computation of f has not given P
i
any extra knowledge.
Distributed privacy preserving data mining is based on the secure multiparty computation,
which was introduced by A. C. Yao in 1982 (Yao, 1982). For example, (Lindell and Pinkas,
2000) and (Lindell and Pinkas, 2002) defined a method based on cryptographic tools for com-
puting a decision tree from two data sets owned by two different parties. (Bunn and Ostrovsky,
2007) discusses clustering data from different parties.
When data is represented in terms of records and attributes, two typical scenarios are
considered in the literature: vertical partitioning of the data and horizontal partitioning. They
are as follows.
• Vertically partitioned data. All data owners share the same records, but different data own-
ers have information about different attributes (i.e., different data owners have different
views of the same records or individuals).
• Horizontally partitioned data. All data owners have information about the same attributes,
nevertheless the records or individuals included in their data bases are different.
As stated above, for both centralized and distributed PPDM the only information that
should be learnt by the data owners is the one that can be inferred from his original data
and the final computed analysis. In this setting, the centralized approach is considered as a
reference result when analyzing the privacy of the distributed approach. Privacy leakage for
the distributed approach is usually analyzed considering two types of adversaries.
• Semi-honest adversaries. Data owners follow the cryptographic protocol but they anal-
yse all the information they get during its execution to discover as much information as
they can.
• Malicious adversaries. Data owners try to fool the protocol (e.g. aborting it or sending
incorrect messages on purpose) so that they can infer confidential information.
Computation-driven protection procedures using cryptographic approaches present some
clear advantges with respect to general purpose ones. The first one is the good quality of the
computed function (analysis). That is, the function we compute is exactly the one the users

want to compute. This is not so, as we will see later, when other general purpose protection
methods are used. In this latter case, the resulting function is just an approximation of the
function we would compute from the original data. At the same time, cryptographic tools
ensure an optimal level of privacy.
Nevertheless, this approach has some limitations. The first one is that we need to know
beforehand the function (or analysis) to be computed. As different functions lead to differ-
ent cryptographic protocols, any change on the function to be computed (even small ones)
requires a redefinition of the protocol. A second disadvantage is that the computational costs
35 Privacy in Data Mining 691
of the protocols are very high. In addition, it is even harder when malicious adversaries are
considered. (Kantarcioglu, 2008) discusses other limitations. One is that most literature only
considers the types of adversaries described above (honest, semi-honest and malicious). No
other types are studied. Another one is the fact that in these methods no trade-off can be found
between privacy and information loss (they use the term accuracy). As we will see later in
Sections 35.5 and 35.6, most general purpose protection procedures permit the user to select
an appropriate trade-off between these two contradictory issues. When using cyptographic
protocols, the only trade-off that can be implemented easily is the one between privacy and
efficiency.
35.2.2 Data-driven Protection Procedures
Given a data set, data-driven protection procedures construct a new data set so that the new
one does not permit a third party to infer confidential information present in the original data.
Different methods have been developed for this purpose. We will focus on the case where the
data set is a standard file defined in terms of records and attributes (microdata following the
jargon of statistical disclosure control). As stated above, we can also consider other types of
data sets as e.g. aggregate data (tabular data following the jargon of SDC).
All data-driven methods are similar in the sense that they construct the new data set reduc-
ing the quality of the original one. As quality reduction might cause data to be unsuitable for a
particular analysis, measures have been developed to evaluate in what extent the protected data
set is still valid. These measures are known as information loss measures or utility measures.
Data-driven procedures are much more efficient with respect to computational cost than

the ones using cryptographic protocols. Nevertheless, this major efficiency is at the cost of
not ensuring complete privacy. Due to this, some measures of risk have been developed to
determine in which extent a protected data set ensures privacy. These measures are known as
disclosure risk measures.
These two families of measures, information loss and disclosure risk, are in contradiction
and, thus, methods should look for an appropriate trade-off between risk and utility. Tools have
been developed to visualize this trade-off and also to quantify this trade-off, so that protection
methods can be compared.
We will present some of the data protection procedures in Section 35.4, information loss
measures in Section 35.5, and visualization methods in Section 35.6. Section 35.3 includes a
description of the standard scenario for evaluating risk before reviewing disclosure risk mea-
sures.
35.3 Disclosure Risk Measures
Disclosure risk is defined in terms of the additional confidential information (in general, addi-
tional knowledge) that an intruder can acquire from the protected data set. According to (Lam-
bert, 1993, Paass, 1985), disclosure risk can be studied from two perspectives:
• Identity disclosure. This disclosure takes place when a respondent is linked to a particular
record in the protected data set. This process of linking is known as re-identification (of
the respondent).
• Attribute disclosure. In this case, defining disclosure as the disclosure of the identity
of the individual is considered too strong. Disclosure takes place when the intruder can
692 Vicenc¸ Torra
learn something new about an attribute of a respondent, even when no relationship can
be established between the individual and the data. That is, disclosure takes place when
the published data set permits the intruder to increase his accuracy on an attribute of the
respondent. This approach was first formulated in (Dalenius, 1977) (see also (Duncan and
Lambert, 1986) and (Duncan and Lambert, 1989)).
Interval disclosure is a measure, proposed in (Domingo-Ferrer et al., 2001) and (Domingo-
Ferrer and Torra, 2001b), for attribute disclosure. It is defined according to the following pro-
cedure. Each attribute is independently ranked and a rank interval is defined around the value

the attribute takes on each record. The ranks of values within the interval for an attribute
around record r should differ less than p percent of the total number of records and the rank
in the center of the interval should correspond to the value of the attribute in record r. Then,
the proportion of original values that fall into the interval centered around their corresponding
protected value is a measure of disclosure risk. A 100 percent proportion means that an at-
tacker is completely sure that the original value lies in the interval around the protected value
(interval disclosure).
Identity disclosure has received much attention in the last years and has been used to
evaluate different protection methods. Its formulation needs a concrete scenario. We present
it in the next section. Some identity disclosure risk measures will be reviewed later using this
scenario.
35.3.1 An Scenario for Identity Disclosure
The typical scenario is to consider the protected data set and an intruder having some partial
information about the individuals in the published data set. The protected data set is assumed
to be a data file, and it is usual to consider that intruder’s information can be represented in
the same way. See e.g. (Sweeney, 2002, Torra et al., 2006). Formally, we consider data sets
X with the usual structure of r rows (records) and k columns (attributes). Naturally, each row
contains the values of the attributes for an individual.
Then, the attributes in X can be classified (Dalenius, 1986, Samarati, 2001, Torra et al.,
2006) in three non-disjoint categories.
• Identifiers. These are attributes that unambiguously identify the respondent. Examples
are passport number, social security number, full name, etc.
• Quasi-identifiers. These are attributes that, in combination, can be linked with external
information to re-identify some of the respondents. Examples are age, birth date, gender,
job, zipcode, etc. Although a single attribute cannot identify an individual, a subset of
them can.
• Confidential. These are attributes which contain sensitive information on the respondent.
For example, salary, religion, political affiliation, health condition, etc.
Using these three categories, an original data set X is defined as X = id||X
nc

||X
c
, where id
are the identifiers, X
nc
are the non-confidential quasi-identifier attributes, and X
c
are the confi-
dential attributes. Let us consider the protected data set X

. X

is obtained from the application
of a protection procedure to X. This process takes into account the type of the attributes. It is
usual to proceed as follows.
• Identifiers. To avoid disclosure, identifiers are usually removed or encrypted in a prepro-
cessing step. In this way, information cannot be linked to specific respondents.
• Confidential. These attributes X
c
are usually not modified. So, we have X

c
= X
c
.
35 Privacy in Data Mining 693
• Quasi-identifiers. They cannot be removed as almost all attributes can be quasi-
identifiers. The usual approach to preserve the privacy of the individuals is to apply pro-
tection procedures to these attributes. We will use
ρ

to denote the protection procedure.
Therefore, we have X

nc
=
ρ
(X
nc
).
Therefore, we have X

=
ρ
(X
nc
)||X
c
. Proceeding in this way, we allow third parties to
have precise information on confidential data without revealing to whom the confidential data
belongs to.
In this scenario we have identity disclosure when an intruder, having some information
described in terms of a set of records and some quasi-identifiers, can link his information with
the published data set. That is, he is able to link his records with the ones in the protected data
set. Then, if the links between records are correct, he will be able to obtain the right values for
the confidential attributes.
Figure 35.1 represents this situation. A represents the file with data from the protected data
set (i.e., containing records from X

) and B represents the file with the records of the intruder.
B is usually defined in terms of the original data set X, because it is assumed that the intruder

has a subset of X . In general, the number of records owned by the intruder and the number of
records in the protected data file will differ.
Reidentification is achieved using some common quasi-identifiers on both X and X

. They
permit to link pairs of records (using record linkage algorithms) from both files, and, then, the
confidential attribute is linked to the identifiers. At this point reidentification is achieved.
Formally, following (Torra et al., 2006, Nin et al., 2007, Sweeney, 2002) and the nota-
tion in Figure 35.1, the intruder is assumed to know the non-confidential quasi-identifiers
X
nc
= {a
1
, ,a
n
} together with the identifiers Id = {i
1
,i
2
, }. Then, the linkage is between
identifiers (a
1
, ,a
n
) from the protected data (X

nc
) and the same attributes from the intruder
(X
nc

).
35.3.2 Measures for Identity Disclosure
Two main approaches exists for measuring identity disclosure risk. They are known by unique-
ness and re-identification. We describe them below.
• Re-identification. Risk is defined as an estimation of the number of re-identifications
that might be obtained by an intruder. This estimation is obtained empirically through
record linkage algorithms. This approach for measuring disclosure risk goes back, at
least, to (Spruill, 1983) and (Paass, 1985) (using e.g. the algorithm described in (Paass
and Wauschkuhn, 1985)). (Torra et al., 2006, Nin et al., 2007, Sweeney, 2002) are more
recent papers using this approach. This approach is general enough to be applied in differ-
ent contexts. It can be applied under different assumptions of intruder’s knowledge, and
under different assumptions on protection procedures. It can even be applied when pro-
tected data has been generated using a synthetic data generator (i.e., data is constructed
using a particular data model – see Section 35.4.3 for details). For example, (Torra et al.,
2006) describes empirical results about using record linkage algorithms on synthetic data.
The performance of different algorithms is discussed. (Winkler, 2004) considers a similar
problem.
• Uniqueness. Informally, the risk of identity disclosure is measured as the probability that
rare combinations of attribute values in the protected data set are indeed rare in the original
population.
This approach is typically used when data is protected using sampling (Willenborg, 2001)
(i.e., X

is just a subset of X ). Note that with perturbative methods it makes no sense to
694 Vicenc¸ Torra
(protected / public)
identifiersquasi-
identifiers
quasi-
identifiers

confidential
r
1
r
a
s
1
s
b
a
1
a
n
a
1
a
n
i
1
, i
2
,
B (intruder)A
a
b
Re-identification
Record linkage
Fig. 35.1. Disclosure Risk Scenario.
investigate the probability that a rare combination of protected values is rare in the original
data set, because that combination is most probably not found in the original data set.

In the next sections we describe these two approaches in more detail.
Uniqueness
Two types of disclosure risk measures based on uniqueness can be distinguished: file-level and
record-level. We describe them below.
• File-level uniqueness. Disclosure risk is defined as the probability that a sample unique
(SU) is a population unique (PU) (Elliot et al., 1998). According to (Elamir, 2004), this
probability can be computed as
P(PU |SU )=
P(PU ,SU )
P(SU )
=
∑
j
I(F
j
= 1, f
j
= 1)
∑
j
I(f
j
= 1)
where j = 1, ,J denotes possible values in the sample, F
j
is the number of individuals in
the population with key value j (frequency of j in the population), f
j
is the same frequency
for the sample and I stands for the cardinality of the selection. Unless the sample size is

much smaller than the population size, P(PU |SU ) can be dangerously high; in that case,
an intruder who locates a unique value in the released sample can be almost certain that
there is a single individual in the population with that value, which is very likely to lead
to that individual’s identification.
35 Privacy in Data Mining 695
• Record-level risk uniqueness. They are also known as individual risk measures. Dis-
clsoure risk is defined as the probability that a particular sample record is re-identified,
i.e. recognized as corresponding to a particular individual in the population. As (Elliot,
2002) points out, the main rationale behind this approach is that risk is not homogeneous
within a data file. We summarize next the description given in (Franconi.Polettini.2004)
of the record-level risk estimation.
Assume that there are K possible combinations of key attributes. These combinations
induce a partition both in the population and in the released sample. If the frequency of
the k-th combination in the population was known to be F
k
, then the individual disclosure
risk of a record in the sample with the k-th combination of key attributes would be 1/F
k
.
Since the population frequencies F
k
are generally unknown but the sample frequencies f
k
of the combinations are known, the distribution of frequencies F
k
given f
k
is considered.
Under reasonable assumptions, the distribution of F
k

|f
k
can be modeled as a negative
binomial. The per-record risk of disclosure is then measured as the posterior mean of
1/F
k
with respect to the distribution of F
k
|f
k
.
Record Linkage
This approach for measuring disclosure risk directly follows the scenario in Figure 35.1. That
is, record linkage consists of linking each record b of the intruder (file B) to a record a in
the original file A. The pair (a, b) is a match if b turns out to be the original record corre-
sponding to a. For applying record linkage, the common approach is to use the shared at-
tributes (some quasi-identifiers). As the number of matches is an estimation of the number of
re-identifications that an intruder can achieve, disclosure risk is defined as the proportion of
matches among the total number of records in B.
Two main types of record linkage algorithms are described in the literature: distance-
based and probabilistic. They are outlined below. For details on these methods see (Torra and
Domingo-Ferrer, 2003).
• Distance-based record linkage. Each record b in B is linked to its nearest record a in A.
An appropriate definition of a record-level distance has to be supplied to the algorithm
to express nearness. This distance is usually constructed from distance functions defined
at the level of attributes. In addition, we need to standardize attributes as well as assign
weights to them.
(Pagliuca et al., 1999) proposed distance-based record linkage to assess the disclosure risk
for microaggregation. They used Euclidean distance and equal weight for all attributes.
Later, in (Domingo-Ferrer and Torra, 2001b), distance-based record linkage (also with

Euclidean distance and equal weights) was used for evaluating other masking methods
as well. In their empirical work, distance-based record linkage outperforms probabilistic
record linkage (See Section 35.3.2 below).
The main advantages of using distances for record linkage are simplicity for the imple-
menter and intuitiveness for the user. Another strong point is that subjective information
(about individuals or attributes) can be included in the re-identification process by means
of appropriate distances.
The main difficulties for distance-based record linkage are (i) the selection of the ap-
propriate distance function, and (ii) the determination of the weights. In relation to the
distance function, for numerical data, the Euclidean distance is the most used distance.
Nevertheless, other distances have also been used as e.g. Mahalanobis (Torra et al., 2006),
and some Kernel-based ones (Torra et al., 2006). The difficulty of choosing a distance is
696 Vicenc¸ Torra
especially thorny in the cases of categorical attributes and of masking methods such as
local recoding where the masked file contains new labels with respect to the original data
set. The determination of the weights is also a rellevant problem that is difficult to solve.
In the case of the Euclidean distance, it is common to assign equal weights to all attributes,
and in the case of the Mahalanobis distance, this problem is avoided because weights are
extracted from the covariance matrix.
• Probabilistic record linkage
Probabilistic record linkage also links pairs of records (a,b) in data sets A and B, respec-
tively. For each pair, an index is computed. Then, two thresholds LT and NLT in the index
range are used to label the pair as linked, clerical or non-linked pair: if the index is above
LT , the pair is linked; if it is below NLT, the pair is non-linked; a clerical pair is one that
cannot be automatically classified as linked or non-linked. When independence between
attributes is assumed, the index can be computed from the following two conditional prob-
abilities for each attribute: the probability P(1|M) of coincidence between the values of
the attribute in two records a and b given that these records are a real match, and the prob-
ability P(0|U) of non-coincidence between the values of the attribute given that a and b
are a real unmatch.

To use probabilistic record linkage in an effective way, we need to set the thresholds LT
and NLT and estimate the conditional probabilities P(1|M) and P(0|U) used in the com-
putation of the indices. In plain words, thresholds are computed from: (i) the probability
P(LP|U) of linking a pair that is an unmatched pair (a false positive or false linkage) and
(ii) the probability P(NP|M) of not linking a pair that is a match (a false negative or false
unlinkage). Conditional probabilities P(1|M) and P(0|U) are usually estimated using the
EM algorithm (Dempster et al., 1977).
The original description of probabilistic record linkage can be found in (Fellegi and
Sunter, 1969) and (Jaro, 1989). (Torra and Domingo-Ferrer, 2003) describe the method
in detail (with examples) and (Winkler, 1993) presents a review of the state of the art on
probabilistic record linkage. In particular, this latter paper includes a discussion concern-
ing non-independent attributes. A (hierarchical) graphical model has recently been pro-
posed (Ravikumar and Cohen, 2004) that compares favorably with previous approaches.
Probabilistic record linkage methods are less simple than distance-based ones. However,
they do not require rescaling or weighting of attributes. The user only needs to provide the
two probabilities P(LP|U) (false positives) and P(NP|M) (false negatives).
The literature presents some other record linkage algorithms, some of which are variations
of the ones presented here. For example, (Bacher et al., 2002) presents a method based on
cluster analysis. The results are similar to the ones of distance-based record linkage as cluster
analysis assigns objects (in this case, records) that are similar (in this case, near) to each other,
to the same cluster. The algorithms presented here permit two records of the intruder b
1
and
b
2
to be assigned to the same record a. There are algorithms that force different records in B
to be linked to different records in A.
The approaches described so far for record linkage do not use any information about the
data protection process. That is, they use files A and B and try to re-identify as much records
as possible. In this sense, they are general purpose record linkage algorithms.

In the last years, specific record linkage algorithms have been developed. They take ad-
vantage of any information available about the data protection procedure. That is, protection
procedures are analyzed in detail to find flaws that can be used for computing more effi-
cient, with larger matching rates, record linkage algorithms. Attacks tailored for two protec-
tion procedures are reported in the literature. (Torra and Miyamoto, 2004) was the first specific
35 Privacy in Data Mining 697
record linkage approach for microaggregation. More effective algorithms have been proposed
in (Nin and Torra, 2009, Nin et al., 2008b) (for either univariate and multivariate microaggre-
gation). (Nin et al., 2007) describes an algorithm for data protection using rank swapping.
The scenario described above can be relaxed so that the published file and the one of the
intruder do not share the set of variables. I.e., there are no common quasi-identifiers in the two
files. A few record linkage algorithms have been developed under this premise. In this case,
some structural information is assumed to be common in both files. (Torra, 2004) follows this
approach. Its use for disclosure risk assessment is described in (Domingo-Ferrer and Torra,
2003).
35.4 Data Protection Procedures
Protection methods can be classified into three different categories depending on how they
manipulate the original data to define the protected data set.
• Perturbative. The original data set is distorted in some way, and the new data set might
contain some erroneous information. E.g. noise is added to an attribute following a N(0,a)
for a given a. In this way, some combinations of values disappear, and, new combinations
appear in the protected data set. At the same time, combinations in the protected data set no
longer correspond to the ones in the original data set. This obfuscation makes disclosure
difficult for intruders.
• Non-perturbative. Protection is achieved through replacing an original value by another
one that is not incorrect but less specific. For example, we replace a real number by an
interval. In general, non-perturbative methods reduce the level of detail of the data set.
This detail reduction causes different records to have the same combinations of values,
which makes disclosure difficult to intruders.
• Synthetic Data Generators. In this case, instead of distorting the original data, new ar-

tificial data is generated and used to substitute the original values. Formally, synthetic
data generators build a data model from the original data set and, subsequently, a new
(protected) data set is randomly generated constrained by the model computed.
An alternative dimension to classify protection methods is based on the type of data. Basic
distinction is about numerical and categorical data, although other types of data (as e.g. time
series (Nin and Torra, 2006)), sequences of events for location privacy, logs, etc. have also
been considered in the literature.
• Numerical. As usual, an attribute is numerical when arithmetic operations as e.g. sub-
straction can be performed with it. Income and age are typical examples of such attributes.
With respect to disclosure risk, numerical values are likely to be unique in a database and,
therefore, leading to disclosure if no action is taken.
• Categorical. In this case, the attribute takes values over a finite set and standard numeri-
cal operations do not make sense. Ordinal and nominal scales are typically distinguished
among categorical attributes. In ordinal scales the order between values is relevant (e.g.
academic degree), whereas in nominal scales it is not (e.g. hair color). Therefore, max and
min operations are meaningful in ordinal scales but not on nominal scales.
Structured attributes is a subclass of categorical attributes. In this case, different cate-
gories are related in terms of subclasses or member of relationships. In some cases, a
hierarchy between categories can be inferred from these relationships. Cities, counties,
and provinces are typical examples of these hierarchical attributes. For some attributes,
the hierarchy is given but for others not but constructed by the protection procedure.
698 Vicenc¸ Torra
In the next sections we review some of the existing protection methods following the clas-
sification above. Some good reviews on data protection procedures are (Adam and Wortmann,
1989, Domingo-Ferrer and Torra, 2001a, Willenborg, 2001). In addition, we have a section
about k-anonymity. As we will see later, k-anonymity is not a protection method but a general
approach for avoiding disclosure up to a certain extent. Different instantiations exist, some
using perturbative and some using non-perturbative procedures.
In this section we will use X to denote the original data, X


to denote the protected data
set, and x
i,V
to represent the value of the attribute V in the ith record.
35.4.1 Perturbative Methods
In this section we review some of the perturbative methods. Among them, the ones that are
most used by the statistical agencies are rank swapping and microaggregation (Felso et al.,
2001), but the literature on privacy preserving data mining, more oriented to business-related
applications, largely focus on additive noise and microaggregation. Microaggregation and rank
swapping are simple and have a low computational cost. Most of the methods described in this
section, with some of their variants are implemented in the sdcMicro package in R (Templ,
2008) and in the
μ
-Argus software (Hundepool et al., 2003).
Rank Swapping
Rank swapping was originally proposed for ordinal attributes in (Moore, 1996), but also ap-
plied to numerical data in (Domingo-Ferrer and Torra, 2001b). It was classified in (Domingo-
Ferrer and Torra, 2001b) among the best microdata protection methods for numerical attributes
and in (Torra, 2004) among the best for categorical attributes.
Rank swapping is defined for a single attribute V as described below. The application of
this method to a data file with several attributes is done attribute-wise, in a sequential way. The
algorithm depends on a parameter p that permits the user to control the amount of disclosure
risk. Normally, p corresponds to a percent of the total number of records in X.
• records of X (for the considered attribute V) are sorted in increasing order.
• Let us assume, for simplicity, that the records are already sorted and that (a
1
, ,a
n
) are
the sorted values in X. That is, a

i
≤ a

for all 1 ≤ i <≤n.
• Each value a
i
is swapped with another value a

, randomly and uniformly chosen from the
limited range i <≤ i + p.
• The sorting step is undone.
The algorithm shows that the smaller the p, the larger the risk. Note that when p increases
the difference between x
i
and x

may increase accordingly. Therefore, the risk decreases. Nev-
ertheless, in this case the differences between the original and the protected data set are higher,
so information loss increases.
(Nin et al., 2007) proves that specific attacks can be designed for this kind of rank swap-
ping and proposed two alternative algorithms where the swapping is not constrained to a spe-
cific interval. In this way, the range for swapping includes the whole set (a
1
, ,a
n
), although
farther data have small probability of being swapped. In this way, the intruder cannot take ad-
vantage of the closed interals in the attack. p-buckets and p-distribution rank swapping are the
names of such algorithms. Other variants of rank swapping include (Carlson and Salabasis,
2002) and (Takemura, 2002).

35 Privacy in Data Mining 699
Microaggregation
Microaggregation was originally (Defays and Nanopoulos, 1993) defined for numerical
atributes (see also (Domingo and Mateo, 2002)) and later extended to categorical data (Torra,
2004) (see also (Domingo-Ferrer and Torra, 2005)) and to time series (Nin and Torra, 2006).
(Felso et al., 2001) shows that microaggregation is a method used by many statistical
agencies, and (Domingo-Ferrer and Torra, 2001b) shows that, for numerical data, is one of the
methods with a better trade-off between information loss and disclosure risk. (Torra, 2004)
describes its good performance in comparison with other methods for categorical data.
Microaggregation is operationally defined in terms of two steps: partition and aggregation.
• Partition. Records are partitioned into several clusters, each of them consisting of at least
k records.
• Aggregation. For each of the clusters a representative (the centroid) is computed, and
then original records are replaced by the representative of the cluster to which they belong
to.
This approach permits protected data to satisfy privacy constraints, as all k records in the
cluster are replaced by the same value. In this way, k controls the privacy in the protected data.
We can formalize microaggregation using u
ij
to describe the partition of the records in
X. That is, u
ij
= 1 if record j is assigned to the ith cluster. Let v
i
be the representative of the
ith cluster, then a general formulation of microaggregation with g clusters and a given k is as
follows:
Minimize SSE =
∑
g

i=1
∑
n
j=1
u
ij
(d(x
j
,v
i
))
2
Subject to
∑
g
i=1
u
ij
= 1 for all j = 1, ,n
2k ≥
∑
n
j=1
u
ij
≥ k for all i = 1, ,g
u
ij
∈{0,1}
For numerical data it is usual to require that d(x,v) is the Euclidean distance. In the general

case, when attributes V =(V
1
, ,V
s
) are considered, x and v are vectors, and d becomes
d
2
(x,v)=
∑
V
i
∈V
(x
v
−v
V
i
)
2
. In addition, it is also common to require for numerical data that
v
i
is defined as the arithmetic mean of the records in the cluster. I.e., v
i
=
∑
n
j=1
u
ij

x
i
/
∑
n
j=1
u
ij
.
In the case of univariate microaggregation (for Euclidean distance and arithmetic mean), there
exists algorithms to find an optimal solution in polynomial time (Hansen and Mukherjee,
2003) (Algorithm 1 describes such method). In contrast, for multivariate data sets, the problem
becomes an NP-Hard (Oganian and Domingo-Ferrer, 2000). For this reason, heuristic methods
have been proposed in the literature.
The general formulation given above permits us to apply microaggregation to multidi-
mensional data. Nevertheless, when the number of attributes is large, it is usual to apply mi-
croaggregation to subsets of attributes; otherwise, the information loss is very high (Aggarwal,
2005). Individual ranking is a multivariate approach that consists of applying microaggrega-
tion to each of the attributes in an independent way. Alternatively, a partition of the attributes
is constructed and microaggregation is applied to each subset.
Applying microaggregation to subsets of attributes decrease information loss but at the
cost of increasing disclosure risk. See (Nin et al., 2008a) for an analysis of how to build these
partitions (i.e., whether it is preferable to select correlated or uncorrelated attributes when
defining the partition) and their effect on information loss and disclsoure risk. (Nin et al.,
2008a) shows that the selection of uncorrelated attributes decrease disclosure risk and can
lead to a better trade-off between disclosure risk and information loss.