Logical foundations of linked data anonymisation

The widespread adoption of the Linked Data paradigm has been driven by the increas-ing demand for information exchange between organisations, as well as by regulations indomains such as health care and governance that require certain data to be published. Inthis setting, sensitive information is at high risk of disclosure since published data can beoften seamlessly linked with arbitrary external data sources.In this paper we lay the logical foundations of anonymisation in the context of LinkedData. We consider anonymisations of RDF graphs (and, more generally, relational datasetswith labelled nulls) and define notions of policy-compliant and linkage-safe anonymisations.Policy compliance ensures that an anonymised dataset does not reveal any sensitive infor-mation as specified by a policy query. Linkage safety ensures that an anonymised datasetremains compliant even if it is linked to (possibly unknown) external datasets available onthe Web, thus providing provable protection guarantees against data linkage attacks. Weestablish the computational complexity of the underpinning decision problems both underthe open-world semantics inherent to RDF and under the assumption that an attacker hascomplete, closed-world knowledge over some parts of the original data.