Privacy metrics

Workflow for evaluating the strength of privacy metrics

Privacy metrics are used to show how effective new privacy-enhancing technologies are, i.e. to what extent they are able to protect privacy, by measuring the amount of privacy the technologies provide. Even though many privacy metrics have been proposed, there are many studies showing their shortcomings in terms of consistency, reproducibility, and applicability in different application domains. This is an important issue because use of a weak privacy metric can lead to real-world privacy violations if the privacy metric overestimates the amount of privacy provided by a technology.

This project investigates privacy metrics for several application domains, including genomics, vehicular networks, smart metering, social network, and data publishing.

This project was supported by EPSRC (grant EP/P006752/1, "PryMe, a Universal Framework to Measure the Strength of Privacy-enhancing Technologies", 2016-2018). Key findings from this project include:

  • Monotonicity, evenness, extent, and shared value range are key criteria to evaluate the strength of privacy metrics (Zhao and Wagner, TMC, 2019).
  • No single metric dominates across all criteria for vehicular privacy (Zhao and Wagner, TMC, 2019).
  • Many privacy metrics for graph privacy are not monotonic, i.e. they do not indicate decreasing privacy with increasing adversary strength (Zhao and Wagner, TDSC, 2020).
  • When privacy metrics are combined into metrics suites using methods from decision support, the monotonicity of privacy measurement increases (Zhao and Wagner, TDSC, 2020).
  • Privacy professionals’ views on data protection impact assessments show gaps in quantification of and communication about privacy risks (Ferra et al., 2020).
  • The monotonicity of privacy metrics suites can be improved using evolutionary optimization (Wagner and Yevseyeva, TOPS, 2021).

The project sparked a successful series of workshops with privacy professionals (including data protection officers, privacy consultants, and privacy activists). The first workshop (January 2018) was held during the project's runtime. The following workshops (June 2019 and November 2019) were possible through support from De Montfort University. Each workshop was attended by approx. 20 participants. According to participants, the workshop series provides a valuable platform for exchange with other privacy professionals and academics that informs and enhances their professional practice.

Selected publications