scholarly journals Measuring Disclosure Risk and Data Utility for Flexible Table Generators

2015 ◽  
Vol 31 (2) ◽  
pp. 305-324 ◽  
Author(s):  
Natalie Shlomo ◽  
Laszlo Antal ◽  
Mark Elliot
Keyword(s):  
Original Data ◽  
Web Based ◽  
Data Utility ◽  
Output Table ◽  
Disclosure Control ◽  
Disclosure Risk ◽  
Final Output ◽  
Statistical Disclosure ◽  
Original Table ◽  
Use Of The Internet

Abstract Statistical agencies are making increased use of the internet to disseminate census tabular outputs through web-based flexible table-generating servers that allow users to define and generate their own tables. The key questions in the development of these servers are: (1) what data should be used to generate the tables, and (2) what statistical disclosure control (SDC) method should be applied. To generate flexible tables, the server has to be able to measure the disclosure risk in the final output table, apply the SDC method and then iteratively reassess the disclosure risk. SDC methods may be applied either to the underlying data used to generate the tables and/or to the final output table that is generated from original data. Besides assessing disclosure risk, the server should provide a measure of data utility by comparing the perturbed table to the original table. In this article, we examine aspects of the design and development of a flexible table-generating server for census tables and demonstrate a disclosure risk-data utility analysis for comparing SDC methods. We propose measures for disclosure risk and data utility that are based on information theory.

scholarly journals Quality Indicators for Statistical Disclosure Methods: A Case Study on the Structure of Earnings Survey

2015 ◽  
Vol 31 (4) ◽  
pp. 737-761 ◽  
Author(s):  
Matthias Templ
Keyword(s):  
Original Data ◽  
Data Sets ◽  
Data Utility ◽  
High Data ◽  
Disclosure Risk ◽  
Statistical Disclosure ◽  
Context Data ◽  
Statistical Agencies ◽  
Utility Measures

Abstract Scientific- or public-use files are typically produced by applying anonymisation methods to the original data. Anonymised data should have both low disclosure risk and high data utility. Data utility is often measured by comparing well-known estimates from original data and anonymised data, such as comparing their means, covariances or eigenvalues. However, it is a fact that not every estimate can be preserved. Therefore the aim is to preserve the most important estimates, that is, instead of calculating generally defined utility measures, evaluation on context/data dependent indicators is proposed. In this article we define such indicators and utility measures for the Structure of Earnings Survey (SES) microdata and proper guidelines for selecting indicators and models, and for evaluating the resulting estimates are given. For this purpose, hundreds of publications in journals and from national statistical agencies were reviewed to gain insight into how the SES data are used for research and which indicators are relevant for policy making. Besides the mathematical description of the indicators and a brief description of the most common models applied to SES, four different anonymisation procedures are applied and the resulting indicators and models are compared to those obtained from the unmodified data. The disclosure risk is reported and the data utility is evaluated for each of the anonymised data sets based on the most important indicators and a model which is often used in practice.

scholarly journals An Empirical Study of Applying Statistical Disclosure Control Methods to Public Health Research

2019 ◽  
Vol 16 (22) ◽  
pp. 4519
Author(s):  
Amanda M. Y. Chu ◽  
Benson S. Y. Lam ◽  
Agnes Tiwari ◽  
Mike K. P. So
Keyword(s):  
Public Health ◽  
Health Care ◽  
Empirical Study ◽  
Health Research ◽  
Original Data ◽  
Public Health Research ◽  
Statistical Disclosure Control ◽  
Data Perturbation ◽  
Disclosure Control ◽  
Statistical Disclosure

Patient data or information collected from public health and health care surveys are of great research value. Usually, the data contain sensitive personal information. Doctors, nurses, or researchers in the public health and health care sector do not analyze the available datasets or survey data on their own, and may outsource the tasks to third parties. Even though all identifiers such as names and ID card numbers are removed, there may still be some occasions in which an individual can be re-identified via the demographic or particular information provided in the datasets. Such data privacy issues can become an obstacle in health-related research. Statistical disclosure control (SDC) is a useful technique used to resolve this problem by masking and designing released data based on the original data. Whilst ensuring the released data can satisfy the needs of researchers for data analysis, there is high protection of the original data from disclosure. In this research, we discuss the statistical properties of two SDC methods: the General Additive Data Perturbation (GADP) method and the Gaussian Copula General Additive Data Perturbation (CGADP) method. An empirical study is provided to demonstrate how we can apply these two SDC methods in public health research.

scholarly journals ON ASSESSING THE DISCLOSURE RISK OF CONTROLLED ADJUSTMENT METHODS FOR STATISTICAL TABULAR DATA

2012 ◽  
Vol 20 (06) ◽  
pp. 921-941 ◽  
Author(s):  
JORDI CASTRO
Keyword(s):  
Minimum Distance ◽  
Optimization Problems ◽  
Statistical Disclosure Control ◽  
Tabular Data ◽  
Perturbative Approach ◽  
Disclosure Control ◽  
High Data ◽  
Disclosure Risk ◽  
Statistical Disclosure ◽  
Theoretical Results

Minimum distance controlled tabular adjustment is a recent perturbative approach for statistical disclosure control in tabular data. Given a table to be protected, it looks for the closest safe table, using some particular distance. Controlled adjustment is known to provide high data utility. However, the disclosure risk has only been partially analyzed using theoretical results from optimization. This work extends these previous results, providing both a more detailed theoretical analysis, and an extensive empirical assessment of the disclosure risk of the method. A set of 25 instances from the literature and four different attacker scenarios are considered, with several random replications for each scenario, both for L1 and L2 distances. This amounts to the solution of more than 2000 optimization problems. The analysis of the results shows that the approach has low disclosure risk when the attacker has no good information on the bounds of the optimization problem. On the other hand, when the attacker has good estimates of the bounds, and the only uncertainty is in the objective function (which is a very strong assumption), the disclosure risk of controlled adjustment is high and it should be avoided.

scholarly journals Providing Data With High Utility And No Disclosure Risk For The Public and Researchers: An Evaluation By Advanced Statistical Disclosure Risk Methods

2014 ◽  
Vol 43 (4) ◽  
pp. 247-254
Author(s):  
Matthias Templ
Keyword(s):  
Data Privacy ◽  
Data Sets ◽  
Real World Data ◽  
Data Set ◽  
The Public ◽  
Disclosure Control ◽  
High Data ◽  
Disclosure Risk ◽  
Statistical Disclosure ◽  
High Utility

The demand of data from surveys, registers or other data sets containing sensibleinformation on people or enterprises have been increased significantly over the last years.However, before providing data to the public or to researchers, confidentiality has to berespected for any data set containing sensible individual information. Confidentiality canbe achieved by applying statistical disclosure control (SDC) methods to the data. Theresearch on SDC methods becomes more and more important in the last years because ofan increase of the awareness on data privacy and because of the fact that more and moredata are provided to the public or to researchers. However, for legal reasons this is onlyvisible when the released data has (very) low disclosure risk.In this contribution existing disclosure risk methods are review and summarized. Thesemethods are finally applied on a popular real-world data set - the Structural EarningsSurvey (SES) of Austria. It is shown that the application of few selected anonymisationmethods leads to well-protected anonymised data with high data utility and low informationloss.

Information loss resulting from statistical disclosure control of output data

2020 ◽  
Vol 65 (9) ◽  
pp. 7-27
Author(s):  
Andrzej Młodak
Keyword(s):  
Inverse Correlation ◽  
Original Data ◽  
Information Loss ◽  
Sensitive Information ◽  
Statistical Disclosure Control ◽  
Output Data ◽  
Specific Data ◽  
Disclosure Control ◽  
Statistical Disclosure

The most important methods of assessing information loss caused by statistical disclosure control (SDC) are presented in the paper. The aim of SDC is to protect an individual against identification or obtaining any sensitive information relating to them by anyone unauthorised. The application of methods based either on the concealment of specific data or on their perturbation results in information loss, which affects the quality of output data, including the distributions of variables, the forms of relationships between them, or any estimations. The aim of this paper is to perform a critical analysis of the strengths and weaknesses of the particular types of methods of assessing information loss resulting from SDC. Moreover, some novel ideas on how to obtain effective and well-interpretable measures are proposed, including an innovative way of using a cyclometric function (arcus tangent) to determine the deviation of values from the original ones, as a result of SDC. Additionally, the inverse correlation matrix was applied in order to assess the influence of SDC on the strength of relationships between variables. The first presented method allows obtaining effective and well- -interpretable measures, while the other makes it possible to fully use the potential of the mutual relationships between variables (including the ones difficult to detect by means of classical statistical methods) for a better analysis of the consequences of SDC. Among other findings, the empirical verification of the utility of the suggested methods confirmed the superiority of the cyclometric function in measuring the distance between the curved deviations and the original data, and also heighlighted the need for a skilful correction of its flattening when large value arguments occur.

scholarly journals Feedback-Based Integration of the Whole Process of Data Anonymization in a Graphical Interface

Algorithms ◽  
2019 ◽  
Vol 12 (9) ◽  
pp. 191
Author(s):  
Bernhard Meindl ◽  
Matthias Templ
Keyword(s):  
Statistical Disclosure Control ◽  
Software Environment ◽  
Web Based ◽  
Disclosure Control ◽  
Data Anonymization ◽  
Know How ◽  
Whole Process ◽  
Statistical Disclosure ◽  
Anonymized Data ◽  
The Impact

The interactive, web-based point-and-click application presented in this article, allows anonymizing data without any knowledge in a programming language. Anonymization in data mining, but creating safe, anonymized data is by no means a trivial task. Both the methodological issues as well as know-how from subject matter specialists should be taken into account when anonymizing data. Even though specialized software such as sdcMicro exists, it is often difficult for nonexperts in a particular software and without programming skills to actually anonymize datasets without an appropriate app. The presented app is not restricted to apply disclosure limitation techniques but rather facilitates the entire anonymization process. This interface allows uploading data to the system, modifying them and to create an object defining the disclosure scenario. Once such a statistical disclosure control (SDC) problem has been defined, users can apply anonymization techniques to this object and get instant feedback on the impact on risk and data utility after SDC methods have been applied. Additional features, such as an Undo Button, the possibility to export the anonymized dataset or the required code for reproducibility reasons, as well its interactive features, make it convenient both for experts and nonexperts in R—the free software environment for statistical computing and graphics—to protect a dataset using this app.

ON THE SECURITY OF MICROAGGREGATION WITH INDIVIDUAL RANKING: ANALYTICAL ATTACKS

2002 ◽  
Vol 10 (05) ◽  
pp. 477-491 ◽  
Author(s):  
JOSEP DOMINGO-FERRER ◽  
ANNA OGANIAN ◽  
ÀNGEL TORRES ◽  
JOSEP M. MATEO-SANZ
Keyword(s):  
Original Data ◽  
Control Technique ◽  
Statistical Disclosure Control ◽  
Data Set ◽  
Disclosure Control ◽  
Individual Ranking ◽  
Statistical Disclosure ◽  
Size Groups ◽  
Usual Criterion ◽  
Individual Information

Microaggregation is a statistical disclosure control technique. Raw microdata (i.e. individual records) are grouped into small aggregates prior to publication. With fixed-size groups, each aggregate contains k records to prevent disclosure of individual information. Individual ranking is a usual criterion to reduce multivariate microaggregation to univariate case: the idea is to perform microaggregation independently for each variable in the record. Using distributional assumptions, we show in this paper how to find interval estimates for the original data based on the microaggregated data. Such intervals can be considerably narrower than intervals resulting from subtraction of means, and can be useful to detect lack of security in a microaggregated data set. Analytical arguments given in this paper confirm recent empirical results about the unsafety of individual ranking microaggregation.

scholarly journals Noise Multiplication for Statistical Disclosure Control of Extreme Values in Log-normal Regression Samples

2014 ◽  
Vol 6 (1) ◽  
Author(s):  
Martin Klein ◽  
Thomas Mathew ◽  
Bimal Sinha
Keyword(s):  
Population Survey ◽  
Extreme Values ◽  
Synthetic Data ◽  
Original Data ◽  
Current Population Survey Data ◽  
Disclosure Control ◽  
Disclosure Risk ◽  
Income Data ◽  
Log Normal ◽  
Log Normal Distribution

In this article multiplication of original data values by random noise is suggested as a disclosure control strategy when only the top part of the data is sensitive, as is often the case with income data. The proposed method can serve as an alternative to top coding which is a standard method in this context. Because the log-normal distribution usually fits income data well, the present investigation focuses exclusively on the log-normal. It is assumed that the log-scale mean of the sensitive variable is described by a linear regression on a set of non-sensitive covariates, and we show how a data user can draw valid inference on the parameters of the regression. An appealing feature of noise multiplication is the presence of an explicit tuning mechanism, namely, the noise generating distribution. By appropriately choosing this distribution, one can control the accuracy of inferences and the level of disclosure protection desired in the released data. Usually, more information is retained on the top part of the data under noise multiplication than under top coding. Likelihood based analysis is developed when only the large values in the data set are noise multiplied, under the assumption that the original data form a sample from a log-normal distribution. In this scenario, data analysis methods are developed under two types of data releases: (I) each released value includes an indicator of whether or not it has been noise multiplied, and (II) no such indicator is provided. A simulation study is carried out to assess the accuracy of inference for some parameters of interest. Since top coding and synthetic data methods are already available as disclosure control strategies for extreme values, some comparisons with the proposed method are made through a simulation study. The results are illustrated with a data analysis example based on 2000 U.S. Current Population Survey data. Furthermore, a disclosure risk evaluation of the proposed methodology is presented in the context of the Current Population Survey data example, and the disclosure risk of the proposed noise multiplication method is compared with the disclosure risk of synthetic data.

A CRITIQUE OF THE SENSITIVITY RULES USUALLY EMPLOYED FOR STATISTICAL TABLE PROTECTION

2002 ◽  
Vol 10 (05) ◽  
pp. 545-556 ◽  
Author(s):  
JOSEP DOMINGO-FERRER ◽  
VICENÇ TORRA
Keyword(s):  
Risk Assessment ◽  
A Priori ◽  
Tabular Data ◽  
Disclosure Control ◽  
Disclosure Risk ◽  
Dominance Rule ◽  
Statistical Table ◽  
Statistical Disclosure ◽  
A Cell ◽  
Statistical Agencies

In statistical disclosure control of tabular data, sensitivity rules are commonly used to decide whether a table cell is sensitive and should therefore not be published. The most popular sensitivity rules are the dominance rule, the p%-rule and the pq-rule. The dominance rule has received critiques based on specific numerical examples and is being gradually abandoned by leading statistical agencies. In this paper, we construct general counterexamples which show that none of the above rules does adequately reflect disclosure risk if cell contributors or coalitions of them behave as intruders: in that case, releasing a cell declared non-sensitive can imply higher disclosure risk than releasing a cell declared sensitive. As possible solutions, we propose an alternative sensitivity rule based on the concentration of relative contributions. More generally, we suggest to complement a priori risk assessment based on sensitivity rules with a posteriori risk assessment which takes into account tables after they have been protected.

scholarly journals Zone design for statistical disclosure control in administrative and linked microdata

2017 ◽  
Vol 1 (1) ◽  
Author(s):  
James Robards ◽  
David Martin ◽  
Chris Gale
Keyword(s):  
Occupation Number ◽  
Medical Practitioner ◽  
Synthetic Dataset ◽  
Design Solution ◽  
Successful Implementation ◽  
Statistical Disclosure Control ◽  
Health Service Provider ◽  
Disclosure Control ◽  
Disclosure Risk ◽  
Statistical Disclosure

ABSTRACT ObjectivesTo explore the application of automated zone design tools to protect record-level datasets with attribute detail and a large data volume in a way that might be implemented by a data provider (e.g. National Statistical Organisation/Health Service Provider), initially using a synthetic microdataset. Successful implementation could facilitate the release of rich linked record datasets to researchers so as to preserve small area geographical associations, while not revealing actual locations which are currently lost due to the high level of geographical coding required by data providers prior to release to researchers. Data perturbation is undesirable because of the need for detailed information on certain spatial attributes (e.g. distance to a medical practitioner, exposure to local environment) which has driven demand for new linked administrative datasets, along with provision of suitable research environments. The outcome is a bespoke aggregation of the microdata that meets a set of design constraints but the exact configuration of which is never revealed. Researchers are provided with detailed data and suitable geographies, yet with appropriately reduced disclosure risk. ApproachUsing a synthetic flat file microdataset of individual records with locality-level (MSOA) geography codes for England and Wales (variables: age, gender, economic activity, marital status, occupation, number of hours worked and general health), we synthesize address-level locations within MSOAs using 2011 Census headcount data. These synthetic locations are then associated with a range of spatial measures and indicators such as distance to a medical practitioner. Implementation of the AZTool zone design software enables a bespoke, non-disclosive zone design solution, providing area codes that can be added to the research data without revealing their true locations to the researcher. ResultsTwo sets of results will be presented. Firstly, we will explain the spatial characteristics of the new synthetic dataset which we propose may have broader utility. Secondly, we will present results showing changing risk of disclosure and utility when coding to spatial units from different scales and aggregations. Using the synthetic dataset will therefore demonstrate the utility of the approach for a variety of linked and administrative data without any actual disclosure risk. ConclusionsThis approach is applicable to a variety of datasets. The ability to quantify the zone design solution and security in relation to statistical disclosure control will be discussed. Provision of parameters from the zone design process to the data user and the implications of this for security and data users will be considered.

Sign in / Sign up

Export Citation Format

Share Document