What are the four key steps of a rigorous anonymization pipeline, and which one must come first?
1) Attribute categorization, 2) generalization-hierarchy creation, 3) privacy-model application, 4) quality assessment — and you must define the attacker model before any of it.
* The four-step pipeline — but define the attacker model before step 1. *
A rigorous pipeline runs four sequential steps, and the order matters because each one builds on the last — you can't choose a privacy model before you know which columns are sensitive, and you can't judge quality before a model has been applied:
- Attribute Categorization — label every column Identifying / Quasi-Identifying / Sensitive. This is the foundation: the labels decide what gets removed, generalized, or protected.
- Generalization Hierarchy Creation — build abstraction levels (ladders) for each quasi-identifier so the algorithm has good coarsening options to choose from.
- Privacy Model Application — apply a model such as k-anonymity or l-diversity, climbing those hierarchies only as far as the privacy target requires.
- Quality Assessment & Assurance — validate the result against both utility (is it still useful?) and the privacy guarantee (does it actually hold?).
But there's a step zero that decides everything. Do this first: before step 1, create and document an attacker model — Who receives the data? What public datasets could they join it with? What's the worst case? Without a clear attacker model you literally cannot decide what "sufficient anonymization" means, because every guarantee (the right k, the right l) is defined relative to an assumed adversary.
Tip: Anonymization without an attacker model is guessing. The model is the spec; everything else is implementation.
Go deeper:
A Visual Guide to Practical Data De-Identification (FPF) — how safeguards/attacker context drive the model.
Data anonymization (Wikipedia) — the categorize/transform/validate workflow.