formal privacy making an impact at large organizations
play

Formal Privacy: Making an Impact at Large Organizations Deploying - PowerPoint PPT Presentation

Oct 11, 2022 •90 likes •458 views

Formal Privacy: Making an Impact at Large Organizations Deploying Differential Privacy for the 2020 Census of Population and Housing Simson L. Garfinkel Senior Scientist, Confidentiality and Data Access U.S. Census Bureau July 31, 2019 JSM

  1. Formal Privacy: Making an Impact at Large Organizations Deploying Differential Privacy for the 2020 Census of Population and Housing Simson L. Garfinkel Senior Scientist, Confidentiality and Data Access U.S. Census Bureau July 31, 2019 JSM 2019 The views in this presentation are those of the author, and not those of the U.S. Census Bureau. 1

  2. The views in this presentation are those of the author, and not those of the U.S. Census Bureau. 2

  3. Acknowledgments This presentation incorporates work by: Dan Kifer (Scientific Lead) John Abowd (Chief Scientist) Tammy Adams, Robert Ashmead, Aref Dajani, Jason Devine, Nathan Goldschlag, Michael Hay, Cynthia Hollingsworth, Meriton Ibrahimi, Michael Ikeda, Philip Leclerc, Ashwin Machanavajjhala, Christian Martindale, Gerome Miklau, Brett Moran, Ned Porter, Anne Ross, William Sexton, Lars Vilhuber, and Pavel Zhuravlev 3

  4. Key points about the 2020 Census “Count everyone once, only once, and in the right place.” World’s longest-running statistical program. First conducted in 1790 by Thomas Jefferson Must be an “actual Enumeration” (US Constitution) Data collected under a pledge of confidentiality 4

  5. Disclosure Avoidance in the 2010 Census: Swapping 2010 Census used household swapping Swapping was limited to households within a state Swapping was limited to households the same size Swapping rate is confidential. We performed a reconstruction attack and re-identified data from 17% of the US population. We did not reconstruct families. We did not recover detailed self-identified race codes 5

  6. Disclosure Avoidance and the 2020 Census: Differential Privacy USCB first adopt differential privacy in 2008 for OnTheMap John Abowd became Chief Scientist in 2016 with the goal of modernizing disclosure avoidance Data products include: Decennial Census of Population and Housing Economic Census American Community Survey Ad hoc research in Federal Statistical Research Data Centers +100 other major data products 6

  7. Despite its Size, the Decennial Census is the Easiest US Census Bureau Product to Make Differentially Private Only 5 tabulation variables collected per person: Age, Sex, Race, Ethnicity, Relationship to Householder, Location It’s a census — no weights! National Priority ➔ well-funded 7

  8. DAS allows the Census Bureau to enforce global confidentiality protections NOISE BARRIER Pre-specified tabular summaries: PL94-171, DHC, DDHC, AIANNH Global Confidentiality Decennial Census Census Protection Process Microdata Response Unedited Edited File Detail File File File Disclosure Avoidance System Special tabulations and post-census research Privacy-loss Budget, Accuracy Decisions 8

  9. The Disclosure Avoidance System relies on injects formally private noise Advantages of noise injection with formal privacy: Transparency: the details can be explained to the public Global Confidentiality Tunable privacy guarantees Protection Process Privacy guarantees do not depend on external data Disclosure Protects against accurate database reconstruction Avoidance System Protects every member of the population ε Challenges: Entire country must be processed at once for best accuracy Every use of confidential data must be tallied in the privacy-loss budget 9

  10. There was no off-the-shelf system for applying differential privacy to a national census We had to create a new system that: Produced higher-quality statistics at more densely populated geographies Produced consistent tables We created new differential privacy algorithms and processing systems that: Produce highly accurate statistics for large populations (e.g. states, counties) Create protected microdata that can be used for any tabulation without additional privacy loss Fit into the decennial census production system 10

  11. Basic approach for a DP Census Treat the entire census as a set of queries on histograms. Select the specific queries to measure Six geolevels (nation, state, county, tract, block group, block) Thousands of queries per geounit Billions of queries overall Histogram has billions of cells 11

  12. First effort: The block-by-block algorithm Independently protect each block (parallel composition) Disclosure 8 million protected 8 million blocks Avoidance System blocks NOISE BARRIER Measure queries for each block; privatize queries; convert results back to microdata 12

  13. Tested with data from 1940 1940 hierarchy: Nation • State • County • Enumeration • District Download from usa.ipums.org 13

  14. Block-by-block algorithm (also called bottomUp) Mechanism: Select, Measure, Reconstruct separately on each block Advantages: Simple and easy to parallelize Privacy cost does not depend on # of blocks Releasing DP for one block has same cost as releasing for all Disadvantages Significant error at higher level Error adds up Variance of each geounit is proportional to the number of blocks it contains 14

  15. New algorithm: the top-down mechanism Step 1: Generate national histogram without geographic identifiers. Step 2: Allocate counts in histogram to each geography “top down.” National-level measurements - ℇ nat State-level histograms - ℇ state County-level histograms - ℇ county Tract-level histograms - ℇ tract Block-group level histograms - ℇ blockgroup Block-level histograms - ℇ block ℇ = ℇ nat + ℇ state + ℇ county + ℇ tract + ℇ blockgroup + ℇ block 15

  16. New algorithm: the top-down mechanism Tabulated Edited Confidential data Confidential data National 1 National ε 330M records Histogram histogram NOISE BARRIER ε 52 “state” 52 state Histograms histograms 3142 “county” ε 3,142 county histograms histograms ε 75,000 tract 75,000 census tract histograms histograms 8 M block group ε 1 M block group histograms histograms 8 M block ε 8 M block histograms histograms 16

  17. Post-process for non-negativity and consistency Tabulated Edited Confidential data Confidential data National 1 National ε 330M records Histogram histogram NOISE BARRIER ε 52 “state” 52 state Histograms histograms 3142 “county” ε 3,142 county histograms histograms ε 75,000 tract 75,000 census tract histograms histograms 8 M block group ε 1 M block group histograms histograms 8 M block ε 8 M block histograms histograms 17

  18. Top-Down Framework Advantages: Easy to parallelize Each geo-unit can have its own strategy selection We use High Dimensional Matrix Mechanism [MMHM18] Parallel composition at each geo-level Reduced variance for many aggregate regions Sparsity discovery e.g. very few 100+ aged people who combine 5 races • Once to—down decide a region has no such records in county A, no subregion • will have them. 18

  19. Evaluating the algorithm We released runs of the top-down algorithm on data from the 1940 Census. Epsilon values 0.25 .. 8.0 Multiple runs at each value of epsilon. Caveats: 1940 data had 4 geography levels: Nation, State, County, Enumeration District. 2020 data has 6 levels: Nation, State, County, Tract, Block Group and Block. 1940 data has 6 races / 2020 data has 63 race combinations 1940 data has no citizenship (Citizen or non-Citizen) 19

  20. Top-Down: much more accurate! 20

  21. 21

  22. 22

  23. Note: The simulator uses hypothetical (fake) data provided by the user. 23

  24. Two public policy choices: What is the correct value of epsilon? Where should the accuracy be allocated? 24

  25. Organizational Challenges Process documentation All uses of confidential data need to be tracked and accounted. Workload identification All desired queries on MDF should be known in advance. Required accuracy for various queries should be understood. Queries outside of MDF must also be pre-specified Correctness and Quality control Verifying implementation correctness. Data quality checks on tables cannot be done by looking at raw data. 25

  26. Data User Challenges Differential privacy is not widely known or understood. Many data users want highly accurate data reports on small areas. Some are anxious about the intentional addition of noise. Some are concerned that previous studies done with swapped data might not be replicated if they used DP data. Many data users believe they require access to Public Use Microdata. Users in 2000 and 2010 didn’t know the error introduced by swapping and other protections applied to the tables and PUMS. 26

  27. Concerns and Responses 27

  28. Redistricting and Exact Counts In the US, legislative districts must have equal size. Decennial Census counts of each block are the “official counts.” Some data users are concerned that adding noise to the counts will make them unfit for use. However: Evaluation of districts is based on official decennial counts; these data are used for 10 years. Noise added by DP is significantly less than noise added by other statistical methods currently in use 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance Engineering & Public Policy Lorrie Faith Cranor October 29, 2013 y & c S a e v c i u r P r i t e y l b L a a s

245 views • 20 slides
Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance Engineering & Public Policy Lorrie Faith Cranor November 11, 2014 y & c S a e v c i u r P r i t e y l b L a a s

555 views • 21 slides
Designing Privacy into Systems (and what is the role of organizations developing standards)

Designing Privacy into Systems (and what is the role of organizations developing standards)

Designing Privacy into Systems (and what is the role of organizations developing standards) Hannes Tschofenig (IAB) Jon Peterson (IAB) Bernard Aboba (IAB) Karen Solins (MIT CFP PrivSec) Privacy In the context of this presentation the

674 views • 8 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
Making Privacy a Fundamental Component of Web Resources Paper presentation at W3C Workshop on

Making Privacy a Fundamental Component of Web Resources Paper presentation at W3C Workshop on

Making Privacy a Fundamental Component of Web Resources Paper presentation at W3C Workshop on Privacy for Advanced Web APIs July 12/13, 2010, London Dr. Thomas Dbendorfer thomas.duebendorfer@google.com Tech Lead, Privacy Engineering Team

350 views • 13 slides
Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics

Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics

ECE598NB Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics Course Structure Privacy Define privacy Privacy History Privacy has always existed Cities / large populations have made

173 views • 14 slides
Lintasarta, Making Indonesia 4.0 Arya N. Soemali IT Services Director 24 Oktober 2018 Making

Lintasarta, Making Indonesia 4.0 Arya N. Soemali IT Services Director 24 Oktober 2018 Making

Lintasarta, Making Indonesia 4.0 Arya N. Soemali IT Services Director 24 Oktober 2018 Making Indonesia 4.0 Conference Industry 4.0 represents smart & connected technology embedded within organizations . Industry 4.0 Social Impact

394 views • 13 slides
Global financial crises impact on Macedonian economy July 2009 Making Difference What is

Global financial crises impact on Macedonian economy July 2009 Making Difference What is

Making Difference Global financial crises impact on Macedonian economy July 2009 Making Difference What is behind the financial crisis: Large macroeconomic imbalances Excessive household and government indebtedness in the

572 views • 34 slides
Global financial crises impact on Macedonian economy CEA February 2009 Making Difference

Global financial crises impact on Macedonian economy CEA February 2009 Making Difference

Making Difference Global financial crises impact on Macedonian economy CEA February 2009 Making Difference What is behind the financial crisis: Large macroeconomic imbalances Excessive household and government

997 views • 14 slides
Consumers privacy decision -making Sren Preibusch 12 th July 2010 W3C Workshop on Privacy

Consumers privacy decision -making Sren Preibusch 12 th July 2010 W3C Workshop on Privacy

Consumers privacy decision -making Sren Preibusch 12 th July 2010 W3C Workshop on Privacy for Advanced Web APIs Sren Preibusch 1 Intended reaction towards excessive data collection (first and second choices) Sren Preibusch 2

140 views • 12 slides
Welcome! Ethical Decision Making in Research Privacy A little about me Holly Longstaff, PhD

Welcome! Ethical Decision Making in Research Privacy A little about me Holly Longstaff, PhD

Conference 2018 Conference 2018 Welcome! Ethical Decision Making in Research Privacy A little about me Holly Longstaff, PhD Research Privacy Advisor, PHSA Ethicist, BC Cancer REB Conflicts of interest None Ethical decision making in

674 views • 45 slides
Impact on the Large and Impact on the Large and Complex Bureaucracy of Complex Bureaucracy of

Impact on the Large and Impact on the Large and Complex Bureaucracy of Complex Bureaucracy of

Impact on the Large and Impact on the Large and Complex Bureaucracy of Complex Bureaucracy of the EU the EU Jan Foghelin 23 ISMOR 2006-08-28 09-01 New Place Hampshire 1(22) Contents Contents Introduction - Cases Introduction - Cases

403 views • 22 slides
CIP-101: Making the Transi5on CIP-003-6 R2 Low Impact

CIP-101: Making the Transi5on CIP-003-6 R2 Low Impact

CIP-101: Making the Transi5on CIP-003-6 R2 Low Impact Assets (LIA) September 24, 2014 Henderson, NV Joseph B. Baugh, PhD, PMP, CISA,

483 views • 30 slides
A Formal Taxonomy of Privacy in Voting Protocols Jannik Dreier, Pascal Lafourcade, Yassine

A Formal Taxonomy of Privacy in Voting Protocols Jannik Dreier, Pascal Lafourcade, Yassine

Introduction Definitions: Four Dimensions Analysis and Case Studies Conclusion A Formal Taxonomy of Privacy in Voting Protocols Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Universit Grenoble 1, CNRS, Verimag, France First IEEE

584 views • 44 slides
Formal Privacy for Functional Data with Gaussian Perturbations Matthew Reimherr Department of

Formal Privacy for Functional Data with Gaussian Perturbations Matthew Reimherr Department of

Formal Privacy for Functional Data with Gaussian Perturbations Matthew Reimherr Department of Statistics Pennsylvania State University Contributors Current work: Aleksandra Slavkovic, Professor of Statistics and Associate Dean for Graduate

472 views • 18 slides
LESSONS FROM A TROUBLE-MAKER INTRODUCTION WHO IS THIS GUY? My name is Devin Director of

LESSONS FROM A TROUBLE-MAKER INTRODUCTION WHO IS THIS GUY? My name is Devin Director of

INNOVATING INSIDE LARGE ORGANIZATIONS LESSONS FROM A TROUBLE-MAKER INTRODUCTION WHO IS THIS GUY? My name is Devin Director of Data Science, Advance Auto Parts 20 years of experience in a variety of large organizations Grew into

751 views • 38 slides
S About the SBDC Portland Community College The Small Business Development Center (SBDC) at

S About the SBDC Portland Community College The Small Business Development Center (SBDC) at

Small Business Development Center Portland Community College Tammy Marquez-Oldham Director, SBDC S About the SBDC Portland Community College The Small Business Development Center (SBDC) at Portland Community College is the largest in the

302 views • 12 slides
Financing your Wharton MBA Wharton Financial Aid Office Financing your MBA Wharton Fellowship

Financing your Wharton MBA Wharton Financial Aid Office Financing your MBA Wharton Fellowship

Financing your Wharton MBA Wharton Financial Aid Office Financing your MBA Wharton Fellowship Program Outside Scholarships Cost of Attendance Educational Student Loans Post Matriculation Funding Opportunities Next Steps Funding Sources

278 views • 14 slides
eLeadership for the Digital Age A presentation for ASPA 2019 by: Dr. Tammy Esteves What is

eLeadership for the Digital Age A presentation for ASPA 2019 by: Dr. Tammy Esteves What is

eLeadership for the Digital Age A presentation for ASPA 2019 by: Dr. Tammy Esteves What is eLeadership? Leadership over work that is remote, virtual, distributed, or mobile work, smartworking or workshifting. Unique leadership challenges

363 views • 23 slides
Zero Suicides in Texas (ZEST) Creating a statewide comprehensive suicide safe care system Jenna

Zero Suicides in Texas (ZEST) Creating a statewide comprehensive suicide safe care system Jenna

Texas Suicide Safe Care: Zero Suicides in Texas (ZEST) Creating a statewide comprehensive suicide safe care system Jenna Heise, MA, NCC, BC-DMT State Suicide Prevention Coordinator, Texas Department of State Health Services Molly Lopez, Ph.D.

480 views • 27 slides
Boar ard o of Governance ( e (BoG) Mee eeting g THURSDAY, NOVEMBER 14, 2019 TAMMY MMY M

Boar ard o of Governance ( e (BoG) Mee eeting g THURSDAY, NOVEMBER 14, 2019 TAMMY MMY M

Boar ard o of Governance ( e (BoG) Mee eeting g THURSDAY, NOVEMBER 14, 2019 TAMMY MMY M MARINE NE, CHAIRPERSON 9:00 A.M. 11:00 A.M. DPSS: STAFF DEVELOPMENT OFFICE ROOM 101 LETICIA D DELARA, VICE-CHAIRPERSON 22690 CACTUS

722 views • 45 slides
TAMARA DARVISH President, U.S. Operations | AutoCanada PEOPLE STRATEGY | Before I knew it

TAMARA DARVISH President, U.S. Operations | AutoCanada PEOPLE STRATEGY | Before I knew it

BUILD A HIGH-PERFORMANCE CULTURE AT YOUR DEALERSHIP WITH FEATURED SPEAKER TAMARA DARVISH President, U.S. Operations | AutoCanada PEOPLE STRATEGY | Before I knew it change happened. PEOPLE STRATEGY | PEOPLE STRATEGY | Agent for Change

197 views • 16 slides
Budget 2019 Review / Budget 2020 Preview Fred Van Dorp Budget Division Director June 17, 2019

Budget 2019 Review / Budget 2020 Preview Fred Van Dorp Budget Division Director June 17, 2019

Budget 2019 Review / Budget 2020 Preview Fred Van Dorp Budget Division Director June 17, 2019 1 Agenda 2019 Budget Certification Recap State Examiner Directive 2018-2: MVH Funds 2020 Budget Calendar Overview New Legislation 2

802 views • 66 slides
The South Devon Dementia Learning Community Tammy Jones Clinical Team Leader/Project Lead

The South Devon Dementia Learning Community Tammy Jones Clinical Team Leader/Project Lead

09/03/2016 The South Devon Dementia Learning Community Tammy Jones Clinical Team Leader/Project Lead Improving quality in care homes The story so far Whats next 1 09/03/2016 Projects Memory boxes This is me

244 views • 6 slides

More recommend