78 research outputs found
Assessing the disclosure protection provided by misclassification for survey microdata
Government statistical agencies often apply statistical disclosure limitation techniques to survey microdata to protect confidentiality. There is a need for ways to assess the protection provided. This paper develops some simple methods for disclosure limitation techniques which perturb the values of categorical identifying variables. The methods are applied in numerical experiments based upon census data from the United Kingdom which are subject to two perturbation techniques: data swapping and the post randomisation method. Some simplifying approximations to the measure of risk are found to work well in capturing the impacts of these techniques. These approximations provide simple extensions of existing risk assessment methods based upon Poisson log-linear models. A numerical experiment is also undertaken to assess the impact of multivariate misclassification with an increasing number of identifying variables. The methods developed in this paper may also be used to obtain more realistic assessments of risk which take account of the kinds of measurement and other non-sampling errors commonly arising in surveys
Statistical disclosure control methods for census frequency tables
This paper provides a review of common statistical disclosure control (SDC) methods implemented at Statistical Agencies for standard tabular outputs containing whole population counts from a Census (either enumerated or based on a register). These methods include record swapping on the microdata prior to its tabulation and rounding of entries in the tables after they are produced. The approach for assessing SDC methods is based on a disclosure risk–data utility framework and the need to find the balance between managing disclosure risk while maximizing the amount of information that can be released to users and ensuring high quality outputs. To carry out the analysis, quantitative measures of disclosure risk and data utility are defined and methods compared. Conclusions from the analysis show that record swapping as a sole SDC method leaves high probabilities of disclosure risk. Targeted record swapping lowers the disclosure risk, but there is more distortion to distributions. Small cell adjustments (rounding) give protection to Census tables by eliminating small cells but only one set of variables and geographies can be disseminated in order to avoid disclosure by differencing nested tables. Full random rounding offers more protection against disclosure by differencing, but margins are typically rounded separately from the internal cells and tables are not additive. Rounding procedures protect against the perception of disclosure risk compared to record swapping since no small cells appear in the tables. Combining rounding with record swapping raises the level of protection but increases the loss of utility to Census tabular outputs. For some statistical analysis, the combination of record swapping and rounding balances to some degree opposing effects that the methods have on the utility of the tables
Data swapping for protecting census tables
The pre-tabular statistical disclosure control (SDC) method of data swapping is the preferred method for protecting Census tabular data in some National Statistical Institutes, including the United States and Great Britain. A pre-tabular SDC method has the advantage that it only needs to be carried out once on the microdata and all tables released (under the conditions of the output strategies, eg. fixed categories of variables, minimum cell size and population thresholds) are considered protected. In this paper, we propose a method for targeted data swapping. The method involves a probability proportional to size selection strategy of high risk households for data swapping. The selected households are then paired with other households having the same control variables. In addition, the distance between paired households is determined by the level of risk with respect to the geographical hierarchies. The strategy is compared to a random data swapping strategy in terms of the disclosure risk and data utility
A Risk-Utility Framework for
Data swapping is a statistical disclosure limitation method used to protect the confidentiality of data by interchanging variable values between records. We propose a risk-utility framework for selecting an optimal swapped data release when considering several swap variables and multiple swap rates. Risk and utility values associated with each such swapped data file are traded off along a frontier of undominated potential releases, which contains the optimal release(s). Current Population Survey data are used to illustrate the framework for categorical data swapping
Releasing microdata: disclosure risk estimation, data masking and assessing utility
Statistical Agencies need to make informed decisions when releasing sample microdata from social surveys with respect to the level of protection required in the data and the mode of access. These decisions should be based on objective quantitative measures of disclosure risk and data utility. This paper reviews recent developments in disclosure risk assessment and discusses how these can be integrated with established methods of data masking and utility assessment for releasing microdata. We illustrate the Disclosure risk-Data Utility approach based on samples drawn from a Census where the population is known and can be used to investigate sample-based methods and validate results
Preserving edits when perturbing microdata for statistical disclosure control
To protect individuals in microdata from the risk of re-identification, a general perturbative method called PRAM (the Post-Randomization Method) is sometimes used for masking records. This method adds “noise” to categorical variables by changing values of categories for a small number of records according to a prescribed probability matrix and a stochastic process based on the outcome of a random multinomial draw. Changing values of categorical variables, however, will cause fully edited and clean records in microdata to start failing edit constraints resulting in data of low utility. In addition, an inconsistent record pinpoints to a potential attacker that the record was perturbed and attempts can be made to unmask the data. Therefore, the perturbation process must take into account micro edit constraints which will ensure that perturbed microdata satisfy all edits. Macro edit constraints which take the form of information loss measures also need to be defined in order to ensure that the overall utility of the data will not be badly compromised given an acceptable level of disclosure risk. This paper will discuss methods for perturbing microdata using PRAM while minimizing micro and macro edit failures. (Updated 10th August 2005
Protection of micro-data subject to edit constraints against statistical disclosure
Before releasing statistical outputs, data suppliers have to assess if the privacy of the statistical units is endangered and apply Statistical Disclosure Control (SDC) methods if necessary. SDC methods perturb, modify or summarize the data, depending on the format for releasing the data, whether as micro-data or tabular data. The goal is to choose an optimal method that manages disclosure risk below a tolerable risk threshold while ensuring high utility and high quality statistical data. In this article we first overview several SDC methods for continuous and categorical micro-data. All the methods perturb the data in some way. Changing values, however, will cause fully edited records in micro-data to fail edit constraints (i.e., logical rules or edits), resulting in low utility data. Moreover, an inconsistent record will signal it as having been perturbed for disclosure control and attempts can be made to unmask the data. In order to deal with these problems, we develop new implementation methods for the perturbation and minimize record level edit failures as well as overall measures which assess information loss and utility. This is done by perturbing within control strata and imputing for failed edits, ensuring additivity constraints, and preserving totals, means and covariance matrices
The Effect of Data Swapping on Analyses of American Community Survey Data
Researchers from a growing range of fields and industries rely on public-access census data. These data are altered by census-taking agencies to minimize the risk of identification; one such disclosure avoidance measure is the data swapping procedure. I study the effects of data swapping on contingency tables using a dummy dataset, public-use American Community Survey (ACS) data, and restricted-use ACS data accessed within the U.S. Census Bureau. These simulations demonstrate that as the rate of swapping is varied, the effect on joint distributions of categorical variables is no longer understandable when the data swapping procedure attempts to target at-risk individuals for swapping using a simple targeting criterion.</jats:p
Privacy Protection from Sampling and Perturbation in Survey Microdata
We consider the assessment of disclosure risk in the release of microdata from social surveys as public-use files. We consider both identification risk and the notion of differential privacy introduced in the computer science literature. We show that sampling, as a disclosure limitation technique, does not guarantee differential privacy. However, threats to differential privacy, i.e. 'leakage', may have small probability and sampling can provide protection under a broader definition of privacy. Moreover, the occurrence of conditions when such a threat can occur may be unknown to the adversary and require statistical inference. Disclosure limitation techniques that perturb variables in the microdata according to misclassification probabilities guarantee differential privacy provided that there are no zero elements in the misclassification mechanism. Combining sampling and perturbation, especially for rare combinations of identifying variables, will reduce the 'leakage'
Statistical disclosure control for survey data
Statistical disclosure control refers to the methodology used in the design of the statistical outputs from a survey for protecting the confidentiality of respondents’ answers. The threat to confidentiality is assumed to come from a hypothetical intruder who has access to these outputs and seeks to use them to disclose information about a survey respondent. One key concern relates to identity disclosure, which would occur if the intruder were able to link a known individual (or other unit) to an element of the output. Another main concern relates to attribute disclosure, which would occur if the intruder could determine the value of some survey variable for an identified individual (or other unit) using the statistical output. Measures of the probability of disclosure are called disclosure risk. If this level of risk is deemed unacceptable then it may be necessary to apply a method of statistical disclosure control to the output. The choice of which method and how much protection to apply depends not just on the impact on disclosure risk but also on the impact on the utility of the output to users. This paper provides a review of statistical disclosure control methodology for two main types of survey output: (i) tables of estimates of population parameters and (ii) microdata, often released as a rectangular file of variables by analysis units. For each of these types of output, the definition and estimation of disclosure risk is discussed as well as methods for statistical disclosure control
- …
