You Are What You Buy: Personal Information Extraction From Anonymized Data

The exponential growth of data in the information age poses several threats to the privacy and safety of digital service users. Existing legislation, such as the GDPR in Europe and the CCPA in California, defines frameworks and guidelines to promote personal privacy but leaves freedom in the choice of means to achieve privacy. Data anonymization techniques remove information that can be used to identify individuals from the dataset, either through suppression, generalization, anatomization, permutation, or perturbation. Information suppression remains the most common, safe, and widely applicable anonymization method, though at a high data utility cost. In this paper, we argue that even information suppression may not be sufficient in some cases. We study the case of a dataset that describes the shopping habits of a grocery store's customers. All identifiers and quasi-identifiers are removed from the dataset by suppression. However, by augmenting the data in a novel multi-step, iterative process, and building a neural network enriched with prior knowledge, we show that most sensitive information can be retrieved with an accuracy of 80%.