Inferensys

Glossary

Re-identification Risk

The probability that an adversary can successfully link de-identified records back to specific individuals using auxiliary information or statistical inference.
Risk analyst performing AI risk assessment on laptop, risk matrices visible, casual office risk session.
PRIVACY METRIC

What is Re-identification Risk?

The probability that an adversary can successfully link de-identified records back to specific individuals using auxiliary information or statistical inference.

Re-identification risk is the quantified probability that an adversary can successfully link ostensibly de-identified records back to specific individuals by correlating quasi-identifiers (QIDs) with auxiliary datasets. This risk arises not from direct identifiers like names, but from the combination of seemingly innocuous attributes—such as birth date, gender, and ZIP code—that become uniquely identifying when cross-referenced against public voter rolls or commercial databases.

Mitigating this risk requires formal privacy models like k-anonymity, which ensures each record is indistinguishable from at least k-1 others, or differential privacy, which injects calibrated noise to provably bound the influence of any single record. The assessment is a continuous adversarial game; as new external data sources become available, a previously safe dataset may become vulnerable, necessitating ongoing statistical disclosure control rather than a one-time masking operation.

Quantifying Re-identification Vulnerability

Core Risk Metrics and Measurement Approaches

Measuring re-identification risk requires moving beyond binary safe/unsafe labels to probabilistic, adversarial, and information-theoretic frameworks that quantify exactly how much protection a de-identification pipeline provides.

01

Prosecutor Risk

The probability that an adversary can re-identify a specific, targeted individual within a de-identified dataset. This metric assumes the attacker possesses auxiliary information about the target and attempts to match it to a single record. Prosecutor risk is the most stringent measure because it focuses on the worst-case scenario for a known person. It is calculated by evaluating the uniqueness of quasi-identifier combinations and the attacker's background knowledge. A dataset with low prosecutor risk ensures that even if an adversary knows a target's zip code, age, and gender, they cannot isolate that person's record with high confidence.

Targeted
Attack Model
02

Journalist Risk

The probability that an adversary can re-identify any single record in the dataset without targeting a specific individual beforehand. Unlike prosecutor risk, journalist risk models an attacker who attempts to breach the dataset and find at least one vulnerable record. This is a population-to-sample attack where the adversary tries to link any record to a known individual. It is generally higher than prosecutor risk because the attacker can exploit the most unique records. Mitigation involves ensuring no equivalence class is too small, typically enforced through k-anonymity constraints.

Any Record
Attack Model
03

Marketer Risk

The probability that an adversary can re-identify a substantial proportion of records in the dataset. Marketer risk models an attacker whose goal is mass re-identification for commercial gain, such as linking a de-identified medical database to a marketing list. This metric evaluates the overall vulnerability of the dataset rather than individual records. It is measured by the expected number of correct record linkages across the entire dataset. Defenses include l-diversity and t-closeness to prevent attribute disclosure even when re-identification succeeds.

Bulk
Attack Model
04

Uniqueness Metrics

Quantitative measures of how distinguishable records are within a dataset based on quasi-identifiers. Key metrics include:

  • Uniqueness Ratio: The fraction of records that are unique in the population given a set of quasi-identifiers
  • Correct Attribution Probability (CAP): The likelihood that an attacker correctly links a de-identified record to the true individual
  • Record Linkage Success Rate: The percentage of records successfully matched to an external identified dataset using deterministic or probabilistic linkage These metrics are computed empirically by simulating attacks using auxiliary datasets or through theoretical population uniqueness models.
05

Information-Theoretic Measures

Privacy metrics grounded in information theory that quantify the reduction in uncertainty about an individual's data after observing a release. Mutual information measures the dependency between the original sensitive data and the released output. Min-entropy leakage captures the worst-case probability of guessing a secret given the release. Differential privacy's epsilon formalizes the maximum information leakage as a multiplicative bound on output probabilities. These measures provide provable guarantees independent of attacker background knowledge, making them the gold standard for formal privacy accounting.

06

Adversarial Simulation Testing

A practical methodology for measuring re-identification risk by executing controlled attacks against a de-identified dataset. The process involves:

  • Assembling an auxiliary dataset representing realistic attacker knowledge
  • Executing record linkage algorithms (deterministic and probabilistic) to match records
  • Computing precision, recall, and F1-score of the linkage
  • Iterating with varying quasi-identifier subsets to identify the most vulnerable attribute combinations This empirical approach complements theoretical metrics and is required under Expert Determination for HIPAA Safe Harbor compliance.
CONCEPTUAL DISTINCTIONS

Re-identification Risk vs. Related Privacy Concepts

How re-identification risk differs from foundational privacy models and de-identification techniques in scope, mechanism, and adversarial assumptions.

FeatureRe-identification Riskk-AnonymityDifferential PrivacyPseudonymization

Core Definition

Probability an adversary links de-identified records to specific individuals using auxiliary data

Privacy model ensuring each record is indistinguishable from at least k-1 others on quasi-identifiers

Mathematical framework providing provable privacy via calibrated noise injection into query outputs

Replacement of direct identifiers with artificial pseudonyms, reversible with separately stored key

Primary Focus

Measuring residual attack vulnerability after de-identification

Preventing singling out through equivalence class grouping

Guaranteeing output distribution is nearly identical with or without any single record

Obscuring direct identity while preserving record-level linkage capability

Formal Guarantee

Adversarial Assumption

Attacker possesses external auxiliary datasets for linkage

Attacker knows quasi-identifier values of target individual

Attacker has arbitrary auxiliary information and unbounded computational power

Attacker lacks access to separately stored pseudonymization key

Quantifiable Metric

Measured as probability score or prosecutor risk (0-1 range)

Parameter k defines minimum equivalence class size

Parameter epsilon quantifies privacy loss budget

Protects Against

Linkage attacks using public voter rolls, census data, or commercial databases

Identity disclosure via quasi-identifier matching

Membership inference, reconstruction, and differencing attacks

Direct visual identification from dataset contents

Data Utility Impact

Assessment metric only; does not alter data

Moderate: generalization and suppression reduce granularity

Configurable: noise scale trades statistical accuracy for privacy

Minimal: only direct identifiers replaced; analytical structure preserved

Regulatory Recognition

Referenced in GDPR Recital 26 and HIPAA expert determination

Foundational academic model; not explicitly named in regulations

Referenced by US Census Bureau and emerging regulatory guidance

Explicitly defined in GDPR Art. 4(5) as distinct from anonymization

CASE STUDIES

Notable Re-identification Incidents

Real-world incidents where de-identified data was successfully re-identified, demonstrating the practical risks and the failure modes of inadequate anonymization techniques.

01

The Netflix Prize (2006)

Researchers Arvind Narayanan and Vitaly Shmatikov demonstrated a linkage attack by cross-referencing the anonymized Netflix movie ratings dataset with publicly available IMDb reviews. Using only ratings and dates as quasi-identifiers, they successfully identified individual users and inferred their political affiliations and other sensitive preferences. The attack exploited the sparsity and uniqueness of individual rating patterns, proving that removing direct identifiers is insufficient when auxiliary data exists.

500k
Subscribers Exposed
8
Movies Needed for ID
02

AOL Search Data Leak (2006)

AOL Research released 20 million search queries from 650,000 users, replacing usernames with numeric IDs. Within days, journalists from the New York Times successfully re-identified specific individuals by analyzing the semantic content of search histories. User 4417749 was traced to Thelma Arnold in Lilburn, Georgia, simply by searching for local businesses, personal names, and health conditions. This incident highlighted that unstructured text contains rich quasi-identifier information.

650k
Users Affected
20M
Search Queries Exposed
03

Massachusetts Governor Health Data (1997)

Latanya Sweeney famously re-identified the medical records of Massachusetts Governor William Weld from an anonymized state employee health insurance dataset. By purchasing the Cambridge voter registration rolls for $20, she linked the ZIP code, birth date, and sex present in both datasets. This foundational case proved that 87% of the U.S. population is uniquely identifiable using only these three quasi-identifiers, directly motivating the development of k-anonymity.

$20
Cost of Auxiliary Data
87%
U.S. Population Uniquely Identifiable
04

NYC Taxi & Limousine Commission (2014)

The NYC TLC released a dataset of 173 million taxi trips with medallion numbers hashed using MD5. Researchers reversed the anonymization by exploiting the small input domain of medallion numbers and the deterministic nature of unsalted hashing. Combined with pickup/drop-off coordinates and timestamps, they identified specific drivers, calculated their incomes, and even reconstructed trips to strip clubs and celebrity residences, exposing the failure of naive pseudonymization.

173M
Trips De-anonymized
MD5
Broken Hash Algorithm
05

Strava Heatmap Military Base Exposure (2018)

Fitness app Strava published a global heatmap visualizing 3 trillion GPS points from user activities. Analysts quickly identified the outlines of secret military bases in Syria, Afghanistan, and Djibouti, as soldiers using fitness trackers revealed patrol routes and base perimeters. The spatial aggregation intended to anonymize the data instead highlighted anomalous activity patterns in otherwise dark zones, demonstrating that location data is inherently identifying even in aggregate.

3T
GPS Points Visualized
2018
Year of Disclosure
06

Australia Department of Health MBS/PBS Data (2016)

Researchers from the University of Melbourne successfully re-identified individuals in an open dataset of Australian Medicare Benefits Schedule and Pharmaceutical Benefits Scheme records. Despite encryption of patient IDs, the longitudinal nature of the data—linking medical services and prescriptions over time—created unique clinical fingerprints. By chaining rare medical events and provider visits, they demonstrated that temporal patterns in medical histories serve as powerful quasi-identifiers.

10%
Sample Re-identified
2.9M
Records in Dataset
RE-IDENTIFICATION RISK

Frequently Asked Questions

Clear, technical answers to the most common questions about the statistical and adversarial risks of re-linking de-identified data to specific individuals.

Re-identification risk is the probability that an adversary can successfully link de-identified records back to specific individuals using auxiliary information or statistical inference. Formally, it is measured as the likelihood that a record in a released dataset can be uniquely matched to an identity in an external population register. This risk is not binary; it exists on a spectrum and is quantified using metrics like record linkage probability, uniqueness scores, and prosecutor risk. The fundamental challenge is that removing direct identifiers such as names and social security numbers is insufficient when quasi-identifiers (QIDs)—like date of birth, gender, and ZIP code—remain. Latanya Sweeney's seminal work demonstrated that 87% of the U.S. population could be uniquely identified using only those three attributes. Modern risk assessment uses adversarial modeling, where the analyst simulates an attacker with specific background knowledge to calculate the proportion of records that could be singled out under worst-case assumptions.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.