A Propagation Model for Provenance Views of Public/Private Workflows
The authors explain the problem of concealing functionality of a proprietary or private module when provenance information is shown over repeated executions of a workflow which contains both public and private modules. They show that G-privacy cannot be achieved simply by combining solutions for individual private modules; data hiding must also be propagated through public modules. They then examine how much additional data must be hidden and when it is safe to stop propagating data hiding. The answer depends strongly on the workflow topology as well as the behavior of public modules on the visible data.