The Privacy Silo Becomes the Re-Identification Threshold
The June 2026 arXiv paper Cross-Silo De-Anonymization Under Local Differential Privacy: Threat Model, Phase Transition, and Coordination Necessity, by Ziniu Liu and Aiping Li, studies when individually protected data silos become jointly identifying.
De-Identification Has a Composition Problem
The paper, arXiv:2606.16763 [cs.CR], was submitted on June 15, 2026. Its question is practical: if one person's records appear across many independent data silos, and each silo uses local differential privacy, when does the combined output become identifying enough for an adversary to recover the person?
That is not the same as asking whether one database satisfies a formal privacy definition. A health app, school platform, broker file, public agency, employer, mobility dataset, and ad network can each publish or share something that looks locally protected. The institutional danger appears when those releases are later joined by a party with enough background knowledge, enough candidate identities, and enough silos to compare.
This page is distinct from the site's existing entries on differential privacy, federated learning, and location brokers. Those pages explain privacy techniques and data markets. Liu and Li's paper asks when a pile of individually noisy silos crosses a re-identification threshold.
What the Paper Models
Liu and Li introduce cross-silo person-level DP, abbreviated XSP-DP, as a Pufferfish-style privacy notion. The adjacency relation is person-centered: it treats all records of one person across all silos as the unit of concern. The paper verifies that the standard basic composition bound carries over in this setting, so k protected silos still receive a composed privacy guarantee.
The authors' main point is that a worst-case composition guarantee does not answer the concrete inference question. A privacy officer may know the aggregate bound, but an attacker asks something different: how many independent protected releases are enough to identify the target among n people?
Within an information-theoretic model, the paper studies binary randomized-response mechanisms and proves a phase transition. The critical number of silos scales as Theta(log n / epsilon^2), where n is population size and epsilon is the per-silo randomized-response parameter. Below the threshold, a Fano lower bound says estimators fail. Above it, a maximum-likelihood attack succeeds under the modeled assumptions.
The Threshold Lesson
The governance lesson is that privacy can fail as a collective property even when every participant can point to local compliance. A silo can say its output is noisy. Another silo can say the same. The adversary does not have to break either silo. The adversary gets leverage from overlap.
The paper's XOR plus randomized-response construction makes that lesson sharp. It demonstrates information synergy: each silo's output can be individually uninformative about the target, while the joint output carries positive mutual information. In plainer terms, the leak may not live in any single release. It may live in the pattern formed by the releases together.
That pattern is familiar outside the theorem. People are identified by combinations: a commute trace plus a pharmacy pattern, a device signal plus a school record, a job title plus a neighborhood, a rare diagnosis plus a timestamp. Differential privacy changes the mathematics of release, but it does not abolish the institutional fact that identities span databases.
Why Coordination Matters
The paper argues that for non-coordinated binary randomized-response mechanisms, de-anonymization becomes inevitable once the number of silos exceeds the threshold. That is a narrow formal statement, not a slogan. Its force is still broad: if every silo independently optimizes its own release rule, no one is managing the person-level risk produced by the system of releases.
Coordination does not have to mean a central surveillance authority. It can mean shared privacy budgets, release registries, data-use agreements, cross-silo risk review, common threat models, and refusal to publish certain combinations even when each isolated publication looks safe. The unit of governance has to match the unit of harm. If the harm is person-level re-identification across institutions, then silo-level approval is the wrong approval layer.
This is also a warning for AI training and evaluation pipelines. Model builders often want many privacy-preserving sources: public records, app telemetry, brokered datasets, institutional logs, and synthetic or federated derivatives. A privacy claim attached to each source is not enough. The combined corpus can create a new inference surface.
What It Does Not Prove
The paper does not measure leakage in a named deployed database, ad network, hospital network, or federated-learning consortium. It gives a baseline threat model and asymptotic threshold for cross-silo inference attacks under local DP, with detailed results for binary randomized response and related theoretical settings.
It also does not say that differential privacy is useless. The sharper reading is the opposite: privacy definitions need the right adjacency model, threat model, and coordination layer. A formal guarantee remains valuable, but it can be aimed at the wrong boundary if the person is distributed across institutions.
Finally, the result should not be marketed as a magic number for every audit. Heterogeneous attributes, correlated silos, adaptive adversaries, richer data types, and real deployment constraints require additional analysis. The threshold is a warning about structure, not a universal compliance calculator.
Governance Standard
Any cross-silo privacy program should maintain a person-level release register. The register should identify participating silos, protected attributes, release mechanisms, privacy parameters, population size assumptions, overlap estimates, downstream recipients, linkage risks, and whether releases are independent or coordinated.
Before data enters a model-development, analytics, or public-release pipeline, the sponsor should ask a cross-silo question: what can be inferred when this release is combined with the releases that already exist? If the answer depends on another institution's behavior, then the governance mechanism has to include that institution or refuse the release.
The Spiralist rule is this: privacy does not live inside the silo. It lives in the graph of silos. A release can be locally noisy and collectively revealing, and the public should not have to discover that only after the threshold has been crossed.
Sources
- Ziniu Liu and Aiping Li, Cross-Silo De-Anonymization Under Local Differential Privacy: Threat Model, Phase Transition, and Coordination Necessity, arXiv:2606.16763 [cs.CR], submitted June 15, 2026.
- arXiv experimental HTML for Cross-Silo De-Anonymization Under Local Differential Privacy, reviewed June 25, 2026.
- Related pages: Differential Privacy, Data Minimization, Federated Learning Becomes the Data Truce, The Digital Person and the Dossier Machine, The Location Broker Becomes the Shadow Sensor Network, and AI Data Provenance.