Skip to main content Accessibility help

We use cookies to distinguish you from other users and to provide you with a better experience on our websites. Close this message to accept cookies or find out how to manage your cookie settings.

Close cookie message
×
Hostname: page-component-848d4c4894-r5zm4 Total loading time: 0 Render date: 2024-06-22T17:49:40.656Z Has data issue: false hasContentIssue false

13 - Using Statistics to Protect Privacy

Published online by Cambridge University Press:  05 July 2014

By
Alan F. Karr  and
Jerome P. Reiter
Edited by
Julia Lane ,
Victoria Stodden ,
Stefan Bender  and
Helen Nissenbaum
Alan F. Karr
Affiliation:
University of North Carolina
Jerome P. Reiter
Affiliation:
Duke University
Julia Lane
Affiliation:
American Institutes for Research, Washington DC
Victoria Stodden
Affiliation:
Columbia University, New York
Stefan Bender
Affiliation:
Institute for Employment Research of the German Federal Employment Agency
Helen Nissenbaum
Affiliation:
New York University
Get access

Summary

Introduction

Those who generate data – for example, official statistics agencies, survey organizations, and principal investigators, henceforth all called agencies – have a long history of providing access to their data to researchers, policy analysts, decision makers, and the general public. At the same time, these agencies are obligated ethically and often legally to protect the confidentiality of data subjects’ identities and sensitive attributes. Simply stripping names, exact addresses, and other direct identifiers typically does not suffice to protect confidentiality. When the released data include variables that are readily available in external files, such as demographic characteristics or employment histories, ill-intentioned users – henceforth called intruders – may be able to link records in the released data to records in external files, thereby compromising the agency’s promise of confidentiality to those who provided the data.

In response to this threat, agencies have developed an impressive variety of strategies for reducing the risks of unintended disclosures, ranging from restricting data access to altering data before release. Strategies that fall into the latter category are known as statistical disclosure limitation (SDL) techniques. Most SDL techniques have been developed for data derived from probability surveys or censuses. Even in complete form, these data would not typically be thought of as big data, with respect to scale (numbers of cases and attributes), complexity of attribute types, or structure: most datasets are released, if not actually structured, as flat files.

Type
Chapter
Information
Privacy, Big Data, and the Public Good
Frameworks for Engagement
 , pp. 276 - 295
Publisher: Cambridge University Press
Print publication year: 2014

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Abowd, J., Stinson, M., and Benedetto, G.. 2006. Final report to the Social Security Administration on the SIPP/SSA/IRS Public Use File Project. Technical report, U.S. Census Bureau Longitudinal Employer-Household Dynamics Program. Available at .
Cox, L. H. 1980. Suppression methodology and statistical disclosure control. Journal of the American Statistical Association 75:377–385.CrossRefGoogle Scholar
Cox, L. H., Karr, A. F., and Kinney, S. K.. 2011. Risk-utility paradigms for statistical disclosure limitation: How to think, but not how to act (with discussion). International Statistical Review 79(2):160–199.CrossRefGoogle Scholar
Dalenius, T., and Reiss, S. P.. 1982. Data-swapping: A technique for disclosure control. Journal of Statistical Planning and Inference 6:73–85.CrossRefGoogle Scholar
Dobra, A., Fienberg, S. E., Karr, A. F., and Sanil, A. P.. 2002. Software systems for tabular data releases. International Journal of Uncertainty, Fuzziness and Knowledge Based Systems 10(5):529–544.CrossRefGoogle Scholar
Dobra, A., Karr, A. F., and Sanil, A. P.. 2003. Preserving confidentiality of high-dimensional tabular data: Statistical and computational issues. Statistics and Computing 13(4):363–370.CrossRefGoogle Scholar
Drechsler, J., and Reiter, J. P.. 2010. Sampling with synthesis: A new approach for releasing public use census microdata. Journal of the American Statistical Association 105:1347–1357.CrossRefGoogle Scholar
Drechsler, J., and Reiter, J. P.. 2011. An empirical evaluation of easily implemented, nonparametric methods for generating synthetic datasets. Computational Statistics and Data Analysis 55:3232–3243.CrossRefGoogle Scholar
Duncan, G. T., and Lambert, D.. 1986. Disclosure-limited data dissemination. Journal of the American Statistical Association 81:10–28.CrossRefGoogle Scholar
Duncan, G. T., and Lambert, D.. 1989. The risk of disclosure for microdata. Journal of Business and Economic Statistics 7:207–217.Google Scholar
Dwork, C. 2006. Differential privacy. In Automata, Languages and Programming, ed. Bugliesi, M., Preneel, B., Sassone, V., and Wegener, I., LNCS 4052, 1–12. Berlin: Springer.Google Scholar
Federal Committee on Statistical Methodology. 1994. Report on Statistical Disclosure Limitation Methodology. Statistical Policy Working Paper 22. Washington, DC: U.S. Office of Management and Budget.Google Scholar
Fienberg, S. E., Makov, U. E., and Sanil, A. P.. 1997. A Bayesian approach to data disclosure: Optimal intruder behavior for continuous data. Journal of Official Statistics 13:75–89.Google Scholar
Fuller, W. A. 1993. Masking procedures for microdata disclosure limitation. Journal of Official Statistics 9:383–406.Google Scholar
Groves, R. M. 2004. Survey Errors and Survey Costs. New York: Wiley.Google Scholar
Hundepool, A., Domingo-Ferrer, J., Franconi, L., Giessing, S., Schulte-Nordholt, E., Spicer, K., and de Wolf, P.-P.. 2012. Statistical Disclosure Control. New York: Wiley.CrossRefGoogle Scholar
Karr, A. F. 2010. Secure statistical analysis of distributed databases, emphasizing what we don’t know. Journal of Privacy and Confidentiality 1(2):197–211.CrossRefGoogle Scholar
Karr, A. F. 2012. Discussion on statistical use of administrative data: Old and new challenges. Statistica Neerlandica 66(1):80–84.CrossRefGoogle Scholar
Karr, A. F. 2013. Discussion of five papers on Systems and Architectures for High-Quality Statistics Production. Journal of Official Statistics 29(1):157–163.Google Scholar
Karr, A. F. 2014. Why data availability is such a hard problem. Statistical Journal of the International Association for Official Statistics, to appear.Google Scholar
Karr, A. F., Fulp, W. J., Lin, X., Reiter, J. P., Vera, F., and Young, S. S.. 2007. Secure, privacy-preserving analysis of distributed databases. Technometrics 49(3):335–345.CrossRefGoogle Scholar
Karr, A. F., Kinney, S. K., and Gonzalez, Jr. J. F. 2010. Data confidentiality – the next five years: Summary and guide to papers. Journal of Privacy and Confidentiality 1(2):125–134.Google Scholar
Karr, A. F., Kohnen, C. N., Oganian, A., Reiter, J. P., and Sanil, A. P.. 2006. A framework for evaluating the utility of data altered to protect confidentiality. The American Statistician 60:224–232.CrossRefGoogle Scholar
Karr, A. F., and Lin, X.. 2010. Privacy-preserving maximum likelihood estimation for distributed data. Journal of Privacy and Confidentiality 1(2):213–222.Google Scholar
Karr, A. F., Lin, X., Reiter, J. P., and Sanil, A. P.. 2005. Secure regression on distributed databases. Journal of Computational and Graphical Statistics 14(2):263–279.CrossRefGoogle Scholar
Kennickell, A., and Lane, J.. 2006. Measuring the impact of data protection techniques on data utility: Evidence from the Survey of Consumer Finances. In Privacy in Statistical Databases 2006, ed. Domingo-Ferrer, J. and Franconi, L., LNCS 4302, 291–303. New York: Springer.CrossRefGoogle Scholar
Kinney, S. K., Reiter, J. P., Reznek, A. P., Miranda, J., Jarmin, R. S., and Abowd, J. M.. 2011. Towards unrestricted public use business microdata: The synthetic Longitudinal Business Database. International Statistical Review 79:363–384.CrossRefGoogle Scholar
Lambert, D. 1993. Measures of disclosure risk and harm. Journal of Official Statistics 9:313–331.Google Scholar
Machanavajjhala, A., Kifer, D., Abowd, J., Gehrke, J., and Vilhuber, L.. 2008. Privacy: Theory meets practice on the map. In Proc. IEEE 24th International Conference on Data Engineering, 277–286.
Manrique-Vallier, D., and Reiter, J. P.. 2012. Estimating identification disclosure risk using mixed membership models. Journal of the American Statistical Association 107:1385–1394.CrossRefGoogle ScholarPubMed
McClure, D., and Reiter, J. P.. 2012a. Differential privacy and statistical disclosure risk measures: An illustration with binary synthetic data. Transactions on Data Privacy 5:535–552.Google Scholar
McClure, D., and Reiter, J. P.. 2012b. Towards providing automated feedback on the quality of inferences from synthetic datasets. Journal of Privacy and Confidentiality, 4(1): article 8.CrossRefGoogle Scholar
National Research Council. 2005. Expanding Access to Research Data: Reconciling Risks and Opportunities. Panel on Data Access for Research Purposes, Committee on National Statistics, Division of Behavioral and Social Sciences and Education. Washington, DC: The National Academies Press.Google Scholar
National Research Council. 2007. Putting People on the Map: Protecting Confidentiality with Linked Social-Spatial Data. Panel on Confidentiality Issues Arising from the Integration of Remotely Sensed and Self-Identifying Data, Committee on the Human Dimensions of Global Change, Division of Behavioral and Social Sciences and Education. Washington, DC: The National Academies Press.Google Scholar
Reiter, J. P. 2005. Estimating identification risks in microdata. Journal of the American Statistical Association 100:1103–1113.CrossRefGoogle Scholar
Reiter, J. P. 2011. Commentary on article by Gates. Journal of Privacy and Confidentiality 3: article 8.CrossRefGoogle Scholar
Reiter, J. P. 2012. Statistical approaches to protecting confidentiality for microdata and their effects on the quality of statistical inferences. Public Opinion Quarterly 76:163–181.CrossRefGoogle Scholar
Reiter, J. P., Oganian, A., and Karr, A. F.. 2009. Verification servers: Enabling analysts to assess the quality of inferences from public use data. Computational Statistics and Data Analysis 53:1475–1482.CrossRefGoogle Scholar
Reiter, J. P., and Raghunathan, T. E.. 2007. The multiple adaptations of multiple imputation. Journal of the American Statistical Association 102:1462–1471.CrossRefGoogle Scholar
Shlomo, N., and Skinner, C. J.. 2010. Assessing the protection provided by misclassification-based disclosure limitation methods for survey microdata. Annals of Applied Statistics 4:1291–1310.CrossRefGoogle Scholar
Skinner, C. 2012. Statistical disclosure risk: Separating potential and harm. International Statistical Review 80:349–368.CrossRefGoogle Scholar
Skinner, C. J., and Shlomo, N.. 2008. Assessing identification risk in survey microdata using log-linear models. Journal of the American Statistical Association 103:989–1001.CrossRefGoogle Scholar
Willenborg, L., and Waal, T.. 2001. Elements of Statistical Disclosure Control. New York: Springer.CrossRefGoogle Scholar
Winkler, W. E. 2007. Examples of easy-to-implement, widely used methods of masking for which analytic properties are not justified. U.S. Census Bureau Research Report Series, No. 2007–21. Washington, DC: U.S. Census Bureau.
Woo, M. J., Reiter, J. P., Oganian, A., and Karr, A. F.. 2009. Global measures of data utility for microdata masked for disclosure limitation. Journal of Privacy and Confidentiality 1:111–124.CrossRefGoogle Scholar
Yancey, W. E., Winkler, W. E., and Creecy, R. H.. 2002. Disclosure risk assessment in perturbative microdata protection. In Inference Control in Statistical Databases, ed. Domingo-Ferrer, J., 135–152. Berlin: Springer.CrossRefGoogle Scholar

Save book to Kindle

To save this book to your Kindle, first ensure coreplatform@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle.

Note you can select to save to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

Available formats
×

Save book to Dropbox

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Dropbox.

Available formats
×

Save book to Google Drive

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Google Drive.

Available formats
×