It is common practice to encrypt data and/or datasets in a database. This is to prevent unauthorized access to the datasets stored in the database. However, the data in the database is encrypted through an encryption key known to the database provider and may also be decrypted, if necessary, by the database provider via decryption key. In other words, a database provider can access the data in the database anytime, even if it does not own the data. This constitutes a further drawback: the database provider can not only access datasets of individual relations (tables). If applicable, the provider can also access the connections between two or more relations and analyze them, in order to deduct information from the links, e.g. as to user behaviour. For example, a first relation might include personal and personally identifiable user data, while a second relation might reveal an e-mail account's master data. The first relation may include information (as foreign key to the second relation), that reveals to which mailbox the respective user has access in the second relation. The foreign key value is stored, along with the dataset to which it applies, in the database. I.e., foreign key values and non-decrypting attribute values constitute, with primary keys, as the case may be, individual datasets, that are stored in relations, i.e. tables.
Should, e.g., two users of a first relation have access to the same mailbox in a second relation, then the database provider can deduct that the two users are connected and possibly exchange information with this mailbox. Such additional information is also called metadata.
Consequently, mere database encryption does not prevent database providers against being able to access data or other meta-information that relations between two or more relations in the database yield.
Hence, the objective of present invention is to provide methods and systems, wherein unauthorized parties and database providers alike are effectively prevented from accessing metadata and information which may be deducted from connections between two or more database relations.