Assessing Identification Risk in Survey Microdata Using Log-Linear Models

Skinner, Chris J.; Shlomo, Natalie

doi:10.1198/016214507000001328

Cited by 67 publications

(121 citation statements)

References 20 publications

Supporting

Mentioning

118

Contrasting

Order By: Relevance

“…A simple extension of this argument also applies under Poisson sampling where the inclusion probability k π may vary with respect to the key variables, for example if a stratifying variable is included among the key variables. In this case, we have | ( ) Skinner and Shlomo (2008) discuss methods for the specification of the model in (10). Skinner (2007) discusses the possible dependence of the measure on the search method employed by the intruder.…”

Section: File-level Measures Of Identification Riskmentioning

confidence: 99%

Statistical Disclosure Control for Survey Data

Skinner¹

2009

Handbook of Statistics

Self Cite

View full text Add to dashboard Cite

Statistical disclosure control refers to the methodology used in the design of the statistical outputs from a survey for protecting the confidentiality of respondents' answers. The threat to confidentiality is assumed to come from a hypothetical intruder who has access to these outputs and seeks to use them to disclose information about a survey respondent. One key concern relates to identity disclosure, which would occur if the intruder were able to link a known individual (or other unit) to an element of the output. Another main concern relates to attribute disclosure, which would occur if the intruder could determine the value of some survey variable for an identified individual (or other unit) using the statistical output. Measures of the probability of disclosure are called disclosure risk. If this level of risk is deemed unacceptable then it may be necessary to apply a method of statistical disclosure control to the output. The choice of which method and how much protection to apply depends not just on the impact on disclosure risk but also on the impact on the utility of the output to users. This paper provides a review of statistical disclosure control methodology for two main types of survey output: (i) tables of estimates of population parameters and (ii) microdata, often released as a rectangular file of variables by analysis units. For each of these types of output, the definition and estimation of disclosure risk is discussed as well as methods for statistical disclosure control. 1 Statistical Disclosure Control for Survey Data Chris Skinner University of Southampton AbstractStatistical disclosure control refers to the methodology used in the design of the statistical outputs from a survey for protecting the confidentiality of respondents' answers. The threat to confidentiality is assumed to come from a hypothetical intruder who has access to these outputs and seeks to use them to disclose information about a survey respondent. One key concern relates to identity disclosure, which would occur if the intruder were able to link a known individual (or other unit) to an element of the output. Another main concern relates to attribute disclosure, which would occur if the intruder could determine the value of some survey variable for an identified individual (or other unit) using the statistical output. Measures of the probability of disclosure are called disclosure risk. If this level of risk is deemed unacceptable then it may be necessary to apply a method of statistical disclosure control to the output. The choice of which method and how much protection to apply depends not just on the impact on disclosure risk but also on the impact on the utility of the output to users. This paper provides a review of statistical disclosure control methodology for two main types of survey output: (i) tables of estimates of population parameters and (ii) microdata, often released as a rectangular file of variables by analysis units. For each of these types of output, the definition and estimation of disclosure...

show abstract

Section: File-level Measures Of Identification Riskmentioning

confidence: 99%

Statistical Disclosure Control for Survey Data

Skinner¹

2009

Handbook of Statistics

Self Cite

View full text Add to dashboard Cite

show abstract

“…Identification risk is defined in terms of the probability that such a link is correct (Bethlehem et al, 1990;Reiter, 2005b;Skinner and Shlomo, 2008). If it were the case that (i) no sampling occurs; (ii) the combination of values of the key variables for the target unit is unique in the population and (iii) the key values, as recorded in the microdata, are known by the adversary for the target unit, then the adversary could deduce the correct link and the probability of identification risk might be taken to be unity.…”

Section: Identification Riskmentioning

confidence: 99%

“…A log-linear model for the µ j is expressed as: log(µ j ) = z z z j β β β, where z z z j is a design vector which denotes the main effects and interactions of the model for the key variables. The maximum likelihood estimator (MLE)β β β may be obtained by solving the score equations: Skinner and Shlomo (2008) discuss goodness of fit criteria to ensure unbiased estimation of µ j .…”

Section: Identification Riskmentioning

confidence: 99%

Privacy Protection from Sampling and Perturbation in Survey Microdata

Shlomo

Skinner

2012

JPC

Self Cite

View full text Add to dashboard Cite

Abstract. Statistical agencies release microdata from social surveys as public-use files after applying statistical disclosure limitation (SDL) techniques. Disclosure risk is typically assessed in terms of identification risk, where it is supposed that small counts on cross-classified identifying key variables, i.e., a key, could be used to make an identification and confidential information may be learnt. In this paper we explore the application of definitions of privacy from the computer science literature to the same problem, with a focus on sampling and a form of perturbation which can be represented as misclassification. We consider two privacy definitions: differential privacy and probabilistic differential privacy. Chaudhuri and Mishra (2006) have shown that sampling does not guarantee differential privacy, but that, under certain conditions, it may ensure probabilistic differential privacy. We discuss these definitions and conditions in the context of survey microdata. We then extend this discussion to the case of perturbation. We show that differential privacy can be ensured if and only if the perturbation employs a misclassification matrix with no zero entries. We also show that probabilistic differential privacy is a viable alternative to differential privacy when there are zeros in the misclassification matrix. We discuss some common examples of SDL methods where in some cases zeros may be prevalent in the misclassification matrix.

show abstract

“…The conditional probability may be estimated by estimating the log-linear model parameters and plugging these estimates into the expression for the conditional probability. E F f , may be estimated by applying the methodology of [19] to the observed microdata. The misclassification probability jj θ might be estimated by making some approximating assumptions and using external evidence on the misclassification process.…”

Section: Estimationmentioning

confidence: 99%

“…However, in many disclosure problems of interest this will not be the case. In these circumstances, a modelling approach such as using log-linear models [19] θ . We suggest that it will normally not be realistic to expect that the intruder will be able to estimate this parameter reliably from the available data (although the mixture model approach merits further investigation).…”

mentioning

confidence: 99%