Achieving Data Privacy through Secrecy Views and Null-Based Virtual Updates

There may be sensitive information in a relational database, and we might want to keep it hidden from a user or group thereof. In this work, sensitive data is characterized as the contents of a set of secrecy views. For a user without permission to access that sensitive data, the database instance he queries is updated to make the contents of the views empty or contain only tuples with null values. In particular, if this user poses a query about any of these views, no meaningful information is returned. Since the database is not expected to be physically changed to produce this result, the updates are only virtual. And also minimal in a precise way. These minimal updates are reflected in the secrecy view contents, and also in the fact that query answers, while being privacy preserving, are also maximally informative. Virtual updates are based on the use of null values as used in the SQL standard. We provide the semantics of secrecy views and the virtual updates. The different ways in which the underlying database is virtually updated are specified as the models of a logic program with stable model semantics. The program becomes the basis for the computation of the “secret answers” to queries, i.e. those that do not reveal the sensitive information.

💡 Research Summary

The paper tackles the problem of protecting sensitive information in relational databases by introducing a novel, declarative approach based on secrecy views and null‑based virtual updates. Unlike traditional access‑control mechanisms that specify which views a user may see, secrecy views explicitly declare the data that must remain hidden from a particular user or user class. Each secrecy view is defined as a conjunctive query (possibly with built‑in predicates) whose result set constitutes the secret data.

When a restricted user issues a query, the system does not physically alter the underlying database. Instead, it performs a virtual update that minimally modifies attribute values by inserting the SQL standard NULL constant. The goal of the update is to make every secrecy view either empty or contain a single tuple consisting solely of NULLs. This “nullification” guarantees that any query directly referencing a secrecy view returns no meaningful information, because in SQL a comparison with NULL yields UNKNOWN and thus does not satisfy the view’s condition.

A central contribution is the precise definition of minimality for these virtual updates. The authors argue that naively deleting entire tuples would discard useful information (e.g., identifiers) and could enable inference attacks when users combine answers from multiple queries. Therefore, the update must change as few attribute values as possible while still achieving the nullification of all secrecy views. This minimality is formalized in terms of set inclusion over the changes applied to the original instance.

To reason about databases that contain NULLs, the paper adopts a logical reconstruction of SQL’s three‑valued semantics. It introduces two satisfaction relations: the classic first‑order satisfaction (|=) and a specialized one (|=ₙ) that respects SQL’s treatment of NULL. Under |=ₙ, free variables in query answers cannot be bound to NULL, and built‑in predicates involving NULL evaluate to UNKNOWN, mirroring the behavior of commercial DBMSs. This formalism enables a uniform treatment of query answering, integrity‑constraint checking, and the definition of secrecy.

The set of all possible databases resulting from the minimal virtual updates is called the secrecy instances of the original database with respect to a given set of secrecy views. The authors show that these instances can be captured exactly by a disjunctive logic program whose stable models correspond one‑to‑one with the secrecy instances. The program encodes (i) the original data, (ii) the conditions that force a secrecy view to become null, and (iii) the minimality requirement via default negation and choice rules. Consequently, computing the stable models yields all admissible secrecy instances without materializing them explicitly.

A secret answer to a user query is defined as a tuple that is an answer in every secrecy instance; equivalently, it is a skeptical consequence of the logic program. This definition guarantees that the answer cannot leak any information about the hidden data, because any tuple that would reveal a secret would be absent from at least one secrecy instance. The approach thus provides maximally informative answers under the privacy constraint.

The paper also establishes connections with consistent query answering (CQA) and database repair literature. In CQA, one repairs an inconsistent database by minimally modifying it to satisfy integrity constraints, and then returns answers that are true in all repairs. Here, the “repairs” are replaced by “secrecy instances,” and the integrity constraints are replaced by secrecy‑view nullification conditions. This analogy allows the reuse of existing ASP solvers and repair techniques for privacy‑preserving query answering.

Key contributions summarized:

1. Introduction of secrecy views as a declarative means to specify forbidden data.
2. Definition of minimal null‑based virtual updates that enforce secrecy without physical data changes.
3. Formalization of secret answers as skeptical answers over all secrecy instances.
4. Logical characterization of secrecy instances via disjunctive stable‑model programs.
5. Precise handling of SQL NULL semantics within a first‑order logical framework.
6. Demonstration of the relationship between secret query answering and CQA/repairs.

From a practical standpoint, the approach can be implemented on top of standard SQL‑compliant DBMSs because it relies on the existing NULL mechanism. The virtual updates are transparent to applications, and the logic program can be executed using off‑the‑shelf answer‑set programming systems to compute secret answers efficiently. Overall, the work provides a solid theoretical foundation for privacy‑preserving query processing that balances data utility with strict confidentiality guarantees.