How to Avoid Reidentification with Proper Anonymization

De Montjoye et al. claimed that most individuals can be reidentified from a deidentified transaction database and that anonymization mechanisms are not effective against reidentification. We demonstrate that anonymization can be performed by techniques well established in the literature.

💡 Research Summary

**
The paper provides a critical re‑examination of the claims made by De Montjoye et al. (2015) that a few spatiotemporal data points are sufficient to re‑identify most individuals in a de‑identified credit‑card transaction database. The authors argue that the original study suffers from two fundamental methodological flaws: (1) it conflates sample uniqueness with population uniqueness, and (2) it assumes that an attacker can automatically link a unique record to an external identified source. Because the dataset used by De Montjoye contains only 1.1 million records—a non‑exhaustive sample of an unknown national population—the reported “unicity” values are likely over‑estimates of true re‑identification risk. Moreover, even if a record is unique within the sample, without a concrete linkage to an external identifier (e.g., an electoral roll) the attacker cannot complete a re‑identification.

The authors also criticize the “coarsening” anonymization strategy employed by De Montjoye. Their approach applies fixed, independently chosen intervals to each quasi‑identifier (QI) without considering the actual data distribution or the joint combination of QIs. This naïve method fails to guarantee that unique QI combinations disappear, which is a core requirement of k‑anonymity.

To demonstrate a proper anonymization pipeline, the authors turn to a synthetic dataset (SPD) derived from the publicly available California 2009 patient discharge records, which cover the entire population of roughly four million patients. Because the dataset is exhaustive, uniqueness measured on it truly reflects population‑level re‑identification risk. The authors confirm that when an attacker knows all QIs, the re‑identification risk reaches about 75 %, aligning with the high “unicity” reported by De Montjoye.

They then apply classic k‑anonymity (with k = 2, 3, 5) by clustering records with similar QIs and generalizing each cluster to a common range. In a k‑anonymous dataset, unequivocal re‑identification is eliminated (probability = 0) and the probability of a correct random guess is bounded by 1/k. In contrast, the naïve coarsening method with fixed intervals (covering 1/32, 1/16, or 1/8 of the domain) still leaves many unique QI combinations, resulting in substantially higher re‑identification risk.

The paper also evaluates information loss using the average distance between original and anonymized records. Results show that k‑anonymity not only reduces re‑identification risk more effectively than naïve coarsening but also preserves more data utility, especially at lower values of k (e.g., 2‑anonymity).

Beyond basic k‑anonymity, the authors discuss extensions such as t‑closeness, which mitigates attribute disclosure by ensuring that the distribution of sensitive attributes within each equivalence class remains close to the overall distribution. They reference their own prior work implementing t‑closeness via micro‑aggregation, demonstrating that these advanced models can further protect privacy without sacrificing utility.

Finally, the authors outline emerging research directions: scalability and linkage preservation for big‑data anonymization, real‑time anonymization for streaming data, and co‑utile collaborative anonymization where data subjects actively participate in the anonymization process.

In conclusion, the paper argues that the dramatic re‑identification risks reported by De Montjoye are artifacts of sampling bias and inadequate anonymization. Established techniques from the statistical disclosure control and privacy‑preserving data publishing literature—particularly k‑anonymity and its extensions—provide robust, provable privacy guarantees while retaining analytical usefulness. The authors provide supplementary materials, code, and a synthetic dataset to enable reproducibility, reinforcing the claim that sound anonymization methodologies exist and can be practically applied to protect individuals in modern data releases.