Modelling User Uncertainty for Disclosure Risk and Data Utility

Trottini, Mario; Fienberg, Stephen E.

doi:10.1142/s0218488502001612

Cited by 22 publications

(18 citation statements)

References 9 publications

(11 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Such methods can be somewhat ad hoc, however, and number of authors (e.g. Paass, 1988;Duncan and Lambert, 1989;Fuller, 1993;Trottini and Fienberg, 2002) have proposed statistical modelling frameworks which permit identification risk to be assessed following clear statistical principles. Identification may be treated as a form of statistical inference by a potential 'intruder', who is assumed to make efficient use of available information to facilitate identification through specified models.…”

Section: Introductionmentioning

confidence: 99%

Assessing Identification Risk in Survey Microdata Using Log-Linear Models

Skinner

Shlomo

2008

Journal of the American Statistical Association

118

View full text Add to dashboard Cite

ABSTRACT. This article considers the assessment of the risk of identification of respondents in survey microdata, in the context of applications at the United Kingdom (UK) Office for National Statistics (ONS). The threat comes from the matching of categorical 'key' variables between microdata records and external data sources and from the use of log-linear models to facilitate matching. While the potential use of such statistical models is well-established in the literature, little consideration has been given to model specification nor to the sensitivity of risk assessment to this specification. In numerical work not reported here, we have found that standard techniques for selecting log-linear models, such as chi-squared goodness of fit tests, provide little guidance regarding the accuracy of risk estimation for the very sparse tables generated by 1 the accuracy of risk estimates. We find that, within a class of 'reasonable' models, risk estimates tend to decrease as the complexity of the model increases. We develop criteria which detect 'underfitting' (associated with overestimation of the risk). The criteria may also reveal 'overfitting' (associated with underestimation) although not so clearly, so we suggest employing a forward model selection approach. Our criteria turn out to be related to established methods of testing for overdispersion in Poisson log-linear models. We show how our approach may be used for both file-level and record-level measures of risk. We evaluate the proposed procedures using samples drawn from the 2001 UK Census where the true risks can be determined and show that a forward selection approach leads to good risk estimates. There are several 'good' models between which our approach provides little discrimination. The risk estimates are found to be stable across these models, implying a form of robustness. We also apply our approach to a large survey dataset. There is no indication that increasing the sample size necessarily leads to the selection of a more complex model. The risk estimates for this application display more variation but suggest a suitable upper bound.

show abstract

Section: Introductionmentioning

confidence: 99%

Assessing Identification Risk in Survey Microdata Using Log-Linear Models

Skinner

Shlomo

2008

Journal of the American Statistical Association

118

View full text Add to dashboard Cite

show abstract

“…Based on this framework, [36] performed an empirical analysis of SDC methods for standard tabular outputs(e.g., swapping, rounding). [42] also adopted the R-U confidentiality map as an optimal criterion for data release. Given its roots in the statistical domain, the R-U confidentiality map was initially applied to protection strategies based on perturbation (e.g., randomization), as opposed to the generalization techniques more commonly found in de-identification.…”

Section: Related Workmentioning

confidence: 99%

Efficient discovery of de-identification policy options through a risk-utility frontier

Xia

Heatherly

Ding

et al. 2013

Proceedings of the Third ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

Modern information technologies enable organizations to capture large quantities of person-specific data while providing routine services. Many organizations hope, or are legally required, to share such data for secondary purposes (e.g., validation of research findings) in a de-identified manner. In previous work, it was shown de-identification policy alternatives could be modeled on a lattice, which could be searched for policies that met a prespecified risk threshold (e.g., likelihood of re-identification). However, the search was limited in several ways. First, its definition of utility was syntactic - based on the level of the lattice - and not semantic - based on the actual changes induced in the resulting data. Second, the threshold may not be known in advance. The goal of this work is to build the optimal set of policies that trade-off between privacy risk (R) and utility (U), which we refer to as a R-U frontier. To model this problem, we introduce a semantic definition of utility, based on information theory, that is compatible with the lattice representation of policies. To solve the problem, we initially build a set of policies that define a frontier. We then use a probability-guided heuristic to search the lattice for policies likely to update the frontier. To demonstrate the effectiveness of our approach, we perform an empirical analysis with the Adult dataset of the UCI Machine Learning Repository. We show that our approach can construct a frontier closer to optimal than competitive approaches by searching a smaller number of policies. In addition, we show that a frequently followed de-identification policy (i.e., the Safe Harbor standard of the HIPAA Privacy Rule) is suboptimal in comparison to the frontier discovered by our approach.

show abstract

“…Techniques include but are not limited to: (1) sampling, (2) aggregation including variable coarsening and the use of marginal releases from contingency tables, (3) data swapping, and (4) synthetic data, e.g., in the form of multiple imputation. One of the ways statistical researchers have chosen to look at these methods is via something akin to the risk-utility tradeoff, with different aggregate criteria to assess disclosure risk and different measures of data utility, e.g., see Trottini and Fienberg (2002), Duncan and Stokes (2009), and Cox et al (2011). Few of these approaches measure up to the strictness of the differential privacy approach, and when differential privacy is overlaid upon them utility tends to be undermined.…”

Section: Technical Aspects Of Protecting Privacy and Protecting Confimentioning

confidence: 99%

Modelling User Uncertainty for Disclosure Risk and Data Utility

Cited by 22 publications

References 9 publications

Assessing Identification Risk in Survey Microdata Using Log-Linear Models

Assessing Identification Risk in Survey Microdata Using Log-Linear Models

Efficient discovery of de-identification policy options through a risk-utility frontier

Toward a Reconceptualization of Confidentiality Protection in the Context of Linkages with Administrative Records

Contact Info

Product

Resources

About